Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Feb 26, 2024

Mitigating Stored XSS Attacks with F5 Big-IP ASM: Insights Needed

Hello Everyone,
 
Could someone provide insights into how F5 Big-IP ASM handles stored XSS attacks? 
 
My understanding is that ASM primarily focuses on inspecting and enforcing XSS signature sets on incoming requests. However, stored XSS attacks involve legitimate requests but malicious scripts embedded in server responses. 


 
While attempting to enforce ASM's XSS signature set on server responses seems impractical, I'm curious if ASM has the capability to analyze and mitigate XSS vulnerabilities within server responses. 
 
 
Can anyone shed light on this aspect of F5 ASM's functionality?"

9 Replies

  • you use dvwa as example so i presume that it was not production environment.

    if the situation happens in production, i suggest fix the root causes with the help of ASM log:
    a. enable response filtering in ASM and enable log of it.
    b. use the ASM log to help app developer pinpoint the root source in application DB and clean it.

    • Nishal_Rai's avatar
      Nishal_Rai
      Icon for Cirrocumulus rankCirrocumulus

      Hi zamroni777 

      Thanks for the idea and yes it is not in production environment. I am just trying to create hypothetical environment, where we somehow missed to address the stored XSS attack on the existing service and latter implemented f5 waf. 
      And regarding the response logging filtering, if the f5 asm cannot detect the payload in the response via the available signature sets then those logs will not be (blocked/illegal) flagged depending on the security enforcement mode and we would end up in the same position of being unknown about the existing stored XSS attack in the service.

       

  • Hi Daniel & Amine,

    Actually, I've been testing stored XSS payloads on DVWA, bypassing F5 ASM, and requesting via F5 AWAF. Like trying to create a scenario when the client is unaware that there application has been affected by the stored xss payload. 

    Wondering if F5 ASM can detect and block responses containing these payloads from affected servers. Any insights?

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      Just had the time to look into this. Only found one signature that is tagged XSS and is applied to responses.

      You might miss a stored XSS.

       

    • Amine_Kadimi's avatar
      Amine_Kadimi
      Icon for MVP rankMVP

      I suggest you enable signature enforcement for server responses. In a lab environment it should be OK but in production it might impact the performance of the app

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        Yes, that's what I said. Signatures can be enforced also on responses.

  • Hi,

     

    If it is stored XSS, then it probably got stored previously following a bad request from an attacker, this request should have been blocked. If an attacker can bypass ASM to send the malicious payload, then it might be a bad signatures configuration. Can you provide more details on the scenario if I'm wrong?

  • Hi Nishal_Rai,

    ASM compares the request or response against the attack signatures associated with your security policy. If a matching pattern is detected, ASM triggers an Attack signature detected violation, and either alarms or blocks based on the enforcement mode of your security policy.
    See here: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-attack-and-bot-signatures-14-1-0/assigning-attack-signatures-to-security-policies.html

    I don't have DVWA running atm to test your case, but I'm confident this will work.

    KR
    Daniel