For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kohli9harjeev's avatar
kohli9harjeev
Icon for Nimbostratus rankNimbostratus
Mar 30, 2017

Protection of XSSJacking

Hi Guys   New Attack Called “XSSJacking” Discovered That Combined of Clickjacking, Pastejacking and Self-XSS Attacks   Does anyone knows any resolution to this vulnerability using ASM ? Or Prot...
application delivery
ASM Advanced WAF
BIG-IP
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Apr 02, 2017

PasteJacking is a CLIENT-side attack where malicious site tricks the user to copy some text, then the malicious JavaScript code replaces the contents of the copied text in the clipboard with a malicious XSS payloads.The malicious site then ASKs the user to paste it. Because it is a CLIENT-side attack starting on a MALICIOUS site (not protected by ASM) Pastejacking cannot be stopped as it happens in memory of user's BROWSER. However when the user pastes the XSS payload to a legitimate site (protected by ASM) ASM will DETECT the XSS in the input (provided the policy is configured correctly to detect and block XSS).