Forum Discussion

MattAlex1's avatar
MattAlex1
Icon for Altocumulus rankAltocumulus
Nov 08, 2024

HTML Code injection Not detected by ASM

There was PT conducted on our application and was reported to be HTML injection vulnerable.

URL used for evidence of exploitation is:

https://abc.com/SimpleSamples812/ChatWidget/ChatPanel.aspx?BackgroundColor=%00black%22%3e;%3c+img+scr+=x+;onerror+:+alert,1

ASM have neither triggered 'onerror' attack signatures which are enforced nor did trigger any meta character violations.

Isn't ASM capable of detecting attack in this pattern?

Please suggest.

application delivery
security
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Nov 08, 2024

    I can confirm this is blocked by F5. %00 generates a http compliance failed (null in request) violation. Meta characters also generate an illegal metacharacter in value violation. Check your policy settings and enforcement.