Forum Discussion
NimbostratusDoes F5 has any feature of anti-tampering web content?
Hi Folks,
I am not sure if any of F5 modules is capable of blocking web content tampering? For example if a hacker injects a piece of malicious JS within a server response? Will F5 has any feature to check the server response and find out that malicious JS, or link pointing to some bad reputation host?
I understand WAF is usually to protect the web server before any nasty things really happen... but irule/iruleLX is always so powerful to resolve many of impossibilities :)
I think what bigip needs to do is to:
- learn the server response
- If any new link/JS found, check its hostname/behavior/md5 to either local db or 3rd party file reputation service, such as virustotal and then got a result
- bigip block/allow the server response based on step2
Thanks for any advice!
samstepCirrocumulus
First of all - how do you think the hackers are going to inject a malicious script into the responses of the Server (which is behind F5 WAF)? Most attacks happen over the web using Cross-Site-Scripting attack (XSS) or SQL injection attack (SQLi). F5 ASM as a WAF can identify and block the malicious script injection attempt as it will be a Request.
There are ways to inject malicious scripts using man-in-the-browser/client-side malware or 3rd-party JavaScript already included in server responses being compromised. In such cases F5 WebSafe module can help.