Forum Discussion

Nguyen_Viet_Dun's avatar
Nguyen_Viet_Dun
Icon for Nimbostratus rankNimbostratus
Jul 18, 2018

F5 ASM Signature Could Not detect XSS Attack

We detect XSS Attack to Webserver. But F5 ASM could not detect with Eval command exectute

 

/AAAA?category=all&text=*/1:eval.call(0,atob(%27YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=%27))})//

 

/AAA?category=all&text=*/1:eval.call(0,atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))%7D)//

 

/AAA?category=all&text=*/1:eval.call(0,atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))})//

 

ASM Advanced WAF
security
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 18, 2018

    I note there are 13 attack signatures containing the "eval" string, do you have them all assigned to your policy and not in Staging mode?

     

  • suttonsc's avatar
    suttonsc
    Icon for Employee rankEmployee
    Jan 25, 2019

    Marking this as answered as the issue was raised as an SR with F5 Networks Support and addressed in a subsequent ASU release.

    It is recommended to update the Attack Signatures on an ASM/Advanced WAF device when new releases come available for up to date protection and enhancements in detection methods.

    From 13.1.0.4 ASM with updated Attack Signatures (Update: v13.1.0/ASM-SignatureFile_20190114_163855):

    Detected Keyword    
text=*/1:eval.call(0,atob(YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=))})//
Attack Signature    
Signature ID
200001324

Signature Name
 eval() (Parameter)

Context Parameter (detected in Query String)
Parameter Level Global
Actual Parameter Name   text
Wildcard Parameter Name *
Parameter Value */1:eval.call(0,atob(YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=))})//