Forum Discussion
Help with ASM URL wildcard syntax
Hello Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?
Mohamed_Ahmed_Kansoh suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.
Thanks Nikoolayy1 ,
I did not use positional parameters before , it is very useful option to use.
- Nikoolayy1Nov 07, 2022MVP
Yup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.
- Nov 07, 2022
Nikoolayy1
yes as you said , I know that there is an Attack signature preventing ping executions.
but sometimes I test to inject such these codes in urls but it does not be blocked be blocked because it matches attack pattern ,
such as this Example " https://shoping.com/index/curl -v 10.20.20.20/items/.....
Curl should be Blocked because it matches with attack signature and i am sure it is enforced.
whereas when writing this " https://shoping.com/index/<script>/items/....." it is blocked because it matches with XSS signature pattern.
But , in any case this request " https://shoping.com/index/curl -v 10.20.20.20/items/....."should be blocked because it violates http protocol compliance.
> I think the command execusion differs from XXS from Attack signature Patterns perspective ,
I think command execustion will be blocked if it get an output from backend server.
This is my thought , I will be happy if you correct me.
Thanks Nikoolayy1
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com