For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sathya_Kumar's avatar
Sathya_Kumar
Icon for Altostratus rankAltostratus
Mar 30, 2017

Is F5 ASM has XSSJacking protection

Dear F5 Experts,

 

Is F5 ASM has XSSJacking protection ?

 

References: https://gbhackers.com/new-attack-called-xssjackingdiscovered-that-combined-of-clickjacking-pastejacking-and-self-xss-attacks/ https://github.com/dxa4481/XSSJacking

 

Web application based Attack - "XSSJacking" Combines Clickjacking, Pastejacking, and Self-XSS has been discovered.

 

I see that F5 has Clickjacking protection from F5 11.4, with which I assume F5 is not vulnerable to this. However, I could not find any direct reference for XSSJacking or Pastejacking vulnerability in F5 forums. Looking forward for your inputs..

 

ASM Advanced WAF
security

1 Reply

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Mar 30, 2017

    The name "XSSJacking" has been coined only a few days ago by researcher Dylan Ayrey. The attack is a combination of XSS, ClickJacking and CSRF - all these attacks are mitigated by F5 ASM individually and together.