For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hatim1's avatar
hatim1
Icon for Nimbostratus rankNimbostratus
Nov 17, 2008

XSS scripting / false positive

Hi all,

 

 

My ASM xss script tag (paramter) signature is falsely triggered due to the following value of a couple of parameters:

 

initfunc(true,false,'Mandatory Field','Value cannot exceed 9,999,999.99.','ScriptHost.Return(this.Value <= 9999999.99)','','',true,'Numeric Field',1,true,',','$',2,'.').

 

 

My question, is there a way for the web developers to avoid having such function explicitly detailed at the browser's level?

 

 

I can always disable the signature for such parameters but I would rather have the web developers change their code.

 

 

Thanks for your help

 

Hatim

 

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Nov 17, 2008
    Hi,

     

    It is probably possible to ask the web developers to change the code, however we can also try to help you with better configuration of that parameter on ASM, it may be very possible to reduce the risk of XSS condition to minimum with setting a few limits on the parameter itself, like length and allowed metachars or even a regexp that will describe the allowed value

     

     

    Can you send us a few examples of the valid values to this parameter?
  • hatim1's avatar
    hatim1
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2008
    Hi,

     

     

    Thanks for the quick response.

     

     

    Actually all the 13 parameters being triggered by this signature have the same value provided in this thread!

     

    It seems to be the only value used by the web developers.

     

     

    Also, any idea on how the developers would adapt their code to minimize the risk of exposure would be greatly appreciated.

     

     

     

    Thanks