Forum Discussion

Icon for Altocumulus rank

Altocumulus

1 year ago

HTML Code injection Not detected by ASM

There was PT conducted on our application and was reported to be HTML injection vulnerable.

URL used for evidence of exploitation is:

https://abc.com/SimpleSamples812/ChatWidget/ChatPanel.aspx?BackgroundColor=%00black%22%3e;%3c+img+scr+=x+;onerror+:+alert,1

ASM have neither triggered 'onerror' attack signatures which are enforced nor did trigger any meta character violations.

Isn't ASM capable of detecting attack in this pattern?

Please suggest.

1 Reply

Amine_Kadimi
MVP
1 year ago
I can confirm this is blocked by F5. %00 generates a http compliance failed (null in request) violation. Meta characters also generate an illegal metacharacter in value violation. Check your policy settings and enforcement.

Tyler - May 2026 Featured Member

DevCentral News

AppWorld Berlin 2026 – iRules Contest Winning Results

DevCentral News

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Technical Articles

application delivery

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5