Forum Discussion
Nimbostratuspost body data parameters-f5 asm
Hi
was deploying f5 asm for oracle erp application.In one of the url, i see below :-
/OA_HTML/RF.jsp ->
POST /OA_HTML/RF.jsp?function_id=ATTACHREST&security_group_id=0&isReadOnlyCustomPopup=Y HTTP/1.1 Accept: / OAFunc: FND_DIALOG_PAGE Content-Type: application/xml Referer: .. Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xxxxx Content-Length: 374 Connection: Keep-Alive Cache-Control: no-cache Cookie: oracle.uix=0^^GMT+3:00^p; BIGipServerAstad_EBS_New_Production.app~Astad_EBS_New_Production_pool=285673482.18975.0000; treemenu1=none open; TS0138831c=01a978a1118e5f142c8bdedb210759f1efd1cbb0e7858f7defc2b66744ee059917758af593252e6894b3d7d77ccecbdf6b0b1d8714d82627e6751b69c4203d9c2a3a03ebce; JSESSIONID=sKBjhfTGJx2vgPgChKLf0NRg4QS6MKD1nzrbn2vTRB6sFZHstT59!-1288392341; SEN=PxNOVkXYr6XhV5sczV6xUMxBEs; TS01e2cc2e=01a978a11159660c4ab4659f98b13ba4e89cb6d882858f7defc2b66744ee059917758af5936cc77f9eb059c70455c2863c6aecfab53595c2cdd64bf1594b170cc87d60a700 X-Forwarded-For: yyyy
oracle.apps.ap.invoice.request.negotiation.server.NegotiationAMgetListOfFilesAttachment::Attach_0_::ATTACH_/oracle/apps/ap/invoice/request/negotiation/webui/InvPoReqNegoPG.Attachment::yy.xx::516040::true::true::true::true::ATTACHMENT_LINK_06N
F5 asm detects the whole as a parameter and detects the param tag vulnerability.I am cross checking with the application as well. But there are many param tag in the several other post body data. How do i add exception for this and other tag for this url , and remove this attack signature from blocking ? the param fields differ for other sessions and other tabs. but i believe the url is the same , do you think i add a wildcard parameter for this url and remove the attack signature inspection for that ?
8 Replies
kolomAltostratus
Hello draco, can you post a snapshot for the same from the event log.
dracoHi Kolom
here
- kolom
Hi draco,
This attack signature is currently in Staging , it means that ASM will never block a request matching this signature ID until you enforce it out of staging . so you can keep it this way if it's causing a lot of false positives to your application.or you can enforce it globally , and disable this signature ID in URL level .
- draco
Yea i know its not in blocking..havent put it yet..need to finetune.. Am getting a lot of false positives with regard to this...am not sure of doing an exception.globally...wanted to know if there is a way to do for this particular url entry..wanted to know if f5 detecting the entire post body data as a parameter is correct or not..if not..how do i rectify it and make f5 look into the params field resplist and homepage ?
- kolom
you will not have control over how F5 will parse the content of a specific request. if this behavior is under specific URL , you can disable it under this URL by defining this URL in the allowed URL list , define a wildcard parameter , and disable the mentioned Signature ID for such parameter . if not , keep it disabled globally , or you can use an iRule to unblock a request being blocked as it matches this specific signature ID.
Simon_BlakelyEmployee
The Content-Type of that request is
application/xmlAdd an explicit URL
Select Advanced Set a Header-Based Content-Profile for
with a default XML profile and see if that resolves the issue.application/xml
draco_184361Yes kolom...i ll do that as a last resort...thank you for your prompt response
samstepCirrocumulus
Signature ID: 200001411 only produces false positives and can be safely disabled in my opinion - it is looking for
text. ASM is known to contain such strange signatures from early 2000s Snort signature list which were not very accurate.
