Forum Discussion

Ken_49643's avatar
Icon for Nimbostratus rankNimbostratus
Jul 10, 2011

XML Attack Signatures




I am new to this forum and am hoping to get some assistance on XML attack signatures.



We have a standard HTTP POST request that contains an XML message in the body.


The content type is set as application/xml; charset="utf-8".



The attack signature "xml tag (Parameter)" is being triggered on the following XML prolog:



xml version="1.0" encoding="UTF-8" (The opening/closing angle brackets and question mark are omitted)



This looks like pretty standard XML to me. Anyone help with why this is being triggered?


Do I need to specify an XML profile for the URL?



Any help would be greatly appreciated.





2 Replies

  • Hi Ken,



    That attack signature matched any XML tag. You could either disable that signature or create a custom XML profile and add it for the URI filtering on a content-type of *xml*.



  • Thanks Aaron.



    I had assumed that since the content type was specified as application/xml the attack signatures wouldn't match on valid XML.