XML Attack Signatures

Question

Hi,&nbsp;
&nbsp;I am new to this forum and am hoping to get some assistance on XML attack signatures.&nbsp;
&nbsp;We have a standard HTTP POST request that contains an XML message in the body.
&nbsp;The content type is set as application/xml; charset="utf-8".&nbsp;
&nbsp;The attack signature "xml tag (Parameter)" is being triggered on the following XML prolog:&nbsp;
&nbsp;xml version="1.0" encoding="UTF-8"  (The opening/closing angle brackets and question mark are omitted)&nbsp;
&nbsp;This looks like pretty standard XML to me. Anyone help with why this is being triggered?
&nbsp;Do I need to specify an XML profile for the URL?&nbsp;
&nbsp;Any help would be greatly appreciated.&nbsp;
&nbsp;Ken&nbsp;

hooleylist · Answer

Hi Ken, 
&nbsp;  
&nbsp; That attack signature matched any XML tag.  You could either disable that signature or create a custom XML profile and add it for the URI filtering on a content-type of *xml*. 
&nbsp;  
&nbsp; Aaron

ken_49643 · Answer

Thanks Aaron. 
&nbsp;  
&nbsp; I had assumed that since the content type was specified as application/xml the attack signatures wouldn't match on valid XML. 
&nbsp;  
&nbsp; Ken

Forum Discussion

XML Attack Signatures

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

Attacks against Domain Specific Languages, EU Cybersecurity Laws, & Supply Chain Attacks

Default Attack Signature Sets

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS