For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ashish_205344's avatar
Ashish_205344
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

Risk excepting "xml data does not comply with schema or wsdl document"

I have setup a XML Profile and getting some requests blocked due to "xml data does not comply with schema or wsdl document", after analysing the requests if my SOAPAction header is blank the request ...
ASM Advanced WAF
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Aug 23, 2017

Adding exception means that you can miss an attack. If you believe that the culprit is the empty SOAPAction header then it might make sense to remove it with an iRule if it is empty before the request hits the ASM policy.

 

The empty SOAPAction header is a bit of a grey area really coming form a 17-year-old spec dated year 2000 while the HTTP spec from 1999 says that each header must have a value...

 

You may have hit an interesting case, I suggest that you raise a support case with F5 with examples of ASM behaviour you are observing with SOAPAction being empty, having two sets of double-quotes and the action as value.