Forum Discussion

bc81987's avatar
bc81987
Icon for Nimbostratus rankNimbostratus
May 15, 2024

CWE-20: Improper Input Validation

Good afternoon,

 

We've recently had a burp suite scan done on our F5 pair. This was the result:

The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
window.location.search and passed to the 'setAttribute()' function of a DOM element.

 

The results page from the scan included the requests and responses to and from the F5s; so I believe this is not a false positive. I am wondering if there is a fix for this through an update? Currently, we're running "BIG-IP v15.1.10.3 (Build 0.0.12)"

  • Thanks for the question. Was there a URL associated with this error report? Are you using APM? Did you provide the scanner logon credentials so it could authenticate to the admin GUI or APM end-user logon page?

    I do see a helper function that's used in the APM end-user logon page, decision box page, and endpoint-inspector status page that might trigger this alert, but it doesn't seem to be used in a way that's exploitable.

     

    Vulnerability reports can be concerning. If you'd like a faster or tracked response on this question, get as many details as you can and please feel free to open a support ticket:
    https://my.f5.com/manage/s/article/K2633

     

    • bc81987's avatar
      bc81987
      Icon for Nimbostratus rankNimbostratus

      Yes there is a URL and we're using APM. Scanner has logon credentials. Everything seems to be working as intended. The issue is how to resolve this. Will an update from "BIG-IP v15.1.10.3 (Build 0.0.12)" work. If so, what version?

      I have a ticket in with F5, but I haven't heard back from the solution engineer since 5/8. I'll reach out again.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        Did you hear something from F5 support?

         

        Without exact details it is going to be difficult to say something here.