XML comment triggers an attack signature

Question

Hello, 
&nbsp;  
&nbsp; Can anyone tell me why a comment in an XML POST is seen as an attack? 
&nbsp;  
&nbsp; The only thing I've found so far is the use of comments to help generating the correct checksum on signed content. 
&nbsp;  
&nbsp;  
&nbsp; Here is a sample of the troublesome XML, take out the comment and the problem goes away: 
&nbsp;  
&nbsp;  
&nbsp; 1972-05-01 
&nbsp;  
&nbsp; Employed 
&nbsp;  
&nbsp; M 
&nbsp; false 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; This triggers the attack signature: 
&nbsp;  
&nbsp; Comments (2)  200016001

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; The Comments 2 attack signature is matching on XML/HTML comments as comments could potentially be used to obfuscate attacks.  If your app accepts / requires comments in the XML, you'd want to disable this check either for the entire policy, just one object or a single parameter if the XML is passed in a parameter. 
&nbsp;  
&nbsp; If you'd like more details on the logic for including this signature in the attack sigs, you could open a case with F5 Support. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

XML comment triggers an attack signature

Recent Discussions

Help needed with iRule (connection closed log )

AS3 Limitations

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

To Comment or Not to Comment?

Trigger js challenge/Captcha for ip reputation/ip intelligence categories

Getting Started with iRules: Logging & Comments

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS