XML comment triggers an attack signature

Question

Hello, 
&nbsp;  
&nbsp; Can anyone tell me why a comment in an XML POST is seen as an attack? 
&nbsp;  
&nbsp; The only thing I've found so far is the use of comments to help generating the correct checksum on signed content. 
&nbsp;  
&nbsp;  
&nbsp; Here is a sample of the troublesome XML, take out the comment and the problem goes away: 
&nbsp;  
&nbsp;  
&nbsp; 1972-05-01 
&nbsp;  
&nbsp; Employed 
&nbsp;  
&nbsp; M 
&nbsp; false 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; This triggers the attack signature: 
&nbsp;  
&nbsp; Comments (2)  200016001

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; The Comments 2 attack signature is matching on XML/HTML comments as comments could potentially be used to obfuscate attacks.  If your app accepts / requires comments in the XML, you'd want to disable this check either for the entire policy, just one object or a single parameter if the XML is passed in a parameter. 
&nbsp;  
&nbsp; If you'd like more details on the logic for including this signature in the attack sigs, you could open a case with F5 Support. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

XML comment triggers an attack signature

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

To Comment or Not to Comment?

November Security Research Update: Newly Released Attack Signatures

Getting Started with iRules: Logging & Comments

NGINX App Protect v5 Signature Notifications

Trigger js challenge/Captcha for ip reputation/ip intelligence categories

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS