F5 is not blocking Cross Site Script attack

Question

Hi, This is a general question for F5 11.2.0 version software around where we go about enabling the Cross Site scripting. Is this being done via the CSRF Protection mechanism. Are we able to enable it on a transparent basis and run for a while to detect attack and then enable blocking ?

carl_brothers · Answer

Please review sol 5903
https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5903.html&nbsp;
The version you are running on is almost out of its last support milestone, EOTS, End of Technical Support.  Also ASM is still using http classes and is vastly improved in the newer versions.&nbsp;

eric_st__john · Answer

Cross site scripting protection is handled with the attack signatures.  You can place the policy into blocking mode and then place the attack signatures into alert only mode, or place the entire policy into transparent. &nbsp;
You will have to make sure that whatever URI, filename, and parameters are learned and enforced if you are tightening the policy. &nbsp;

erik_novak · Answer

Hello Moinul, cross-site scripting (XSS) protection is done by the attack signatures in ASM which detect known character sequences and patterns in the XSS class of attacks. Cross site request forgery (CSRF) is a separate mechanism that relies on an ASM token. If you are testing your system, and XSS attacks are not being blocked, there are a few reasons. One is that the security policy is in transparent mode. In transparent mode, all requests pass, but you can check the "Learn" and "Alarm" flags on the blocking settings screen to ensure you are alerted on specific violations. Another reason is that your attack signatures, or one specific signature, are in staging. Staging gives you time to determine if a triggered attack signature is a false positive before enforcing it (removing it from staging). Another reason is that if an attack signature was triggered on a parameter, and the parameter is in staging, the request still will not be blocked. Make any sense?

mrshaggy_169440 · Answer

Dear All,&nbsp;
I had the same problem like question above. My websites still enable to be attack using XSS, especially using alert() parameter. &nbsp;
For information:&nbsp;
-My security policy has been blocking&nbsp;
-My attack signature staging has been disabled&nbsp;
-My alert() signature also has been enable&nbsp;
-I got some propose parameter policy from Manual Traffic Learning that associate with XSS attack. I already accept it, an parameter has been add to the Security &gt; App Security &gt; Parameter, and no staging for this parameter.&nbsp;
-OS version 11.3.0&nbsp;
-Attack signature v10.2.0, last update 18-01-2011&nbsp;
I know that my attack signature has been very-very old and need to be update, but XSS is a common attack so i think this signature should can be able to block the attack. Anybody can help me about this problem? Does it because the old attack signature? And is there any concern that I had to know if I want to update my signature, in case my signature has been very long time not updated?&nbsp;
Thanks before for the help&nbsp;
Shaggy&nbsp;

gsharri · Answer

Some additional things to check&nbsp;
1. Attack signatures assigned to security policy are set to Block&nbsp;
2. Check that the parameter you accepted is not the policy is NOT set to "ignore value" &nbsp;
3. Check that there are no overridden (disabled) XSS signatures for the parameter  &nbsp;

Forum Discussion

F5 is not blocking Cross Site Script attack

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

The HTTP/2 CONTINUATION frame attack

ESRP Strategies: DNS Water Torture Attack

Passing Arguments to iCall Scripts

Blocking Zero-day WordPress Attacks with F5 Essential App Protect

Block Attack Vectors, Not Attackers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS