Mitigating Stored XSS Attacks with F5 Big-IP ASM: Insights Needed

Hi Nishal_Rai,

ASM compares the request or response against the attack signatures associated with your security policy. If a matching pattern is detected, ASM triggers an Attack signature detected violation, and either alarms or blocks based on the enforcement mode of your security policy.
See here: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-attack-and-bot-signatures-14-1-0/assigning-attack-signatures-to-security-policies.html

I don't have DVWA running atm to test your case, but I'm confident this will work.

KR
Daniel

Hi,

If it is stored XSS, then it probably got stored previously following a bad request from an attacker, this request should have been blocked. If an attacker can bypass ASM to send the malicious payload, then it might be a bad signatures configuration. Can you provide more details on the scenario if I'm wrong?

Hi Daniel & Amine,

Actually, I've been testing stored XSS payloads on DVWA, bypassing F5 ASM, and requesting via F5 AWAF. Like trying to create a scenario when the client is unaware that there application has been affected by the stored xss payload. 

Wondering if F5 ASM can detect and block responses containing these payloads from affected servers. Any insights?

you use dvwa as example so i presume that it was not production environment.

if the situation happens in production, i suggest fix the root causes with the help of ASM log:
a. enable response filtering in ASM and enable log of it.
b. use the ASM log to help app developer pinpoint the root source in application DB and clean it.