For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Jul 10, 2011

XML Attack Signatures

Hi,

I am new to this forum and am hoping to get some assistance on XML attack signatures.

We have a standard HTTP POST request that contains an XML message in the body.

The content type is set as application/xml; charset="utf-8".

The attack signature "xml tag (Parameter)" is being triggered on the following XML prolog:

xml version="1.0" encoding="UTF-8" (The opening/closing angle brackets and question mark are omitted)

This looks like pretty standard XML to me. Anyone help with why this is being triggered?

Do I need to specify an XML profile for the URL?

Any help would be greatly appreciated.

Ken

2 Replies

hoolio
Cirrostratus
Jul 10, 2011
Hi Ken,

That attack signature matched any XML tag. You could either disable that signature or create a custom XML profile and add it for the URI filtering on a content-type of *xml*.

Aaron
Ken_49643
Nimbostratus
Jul 13, 2011
Thanks Aaron.

I had assumed that since the content type was specified as application/xml the attack signatures wouldn't match on valid XML.

Ken

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5