The OWASP Top 10 - 2017 vs. BIG-IP ASM

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here's how the 2013 edition compares to 2017.

And how BIG-IP ASM mitigates the vulnerabilities.



BIG-IP ASM Controls


Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions


Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection


Sensitive Data Exposure

Data Guard

Attack signatures (“Predictable Resource Location” and “Information Leakage”)


XML External Entities (XXE)

Attack signatures (“Other Application Attacks” - XXE)

XML content profile (Disallow DTD)

(Subset of API protection)


Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures (“Directory traversal”)


Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement


Cross-site Scripting (XSS)

Attack signatures (“Cross Site Scripting (XSS)”)

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)


Insecure Deserialization

Attack Signatures (“Server Side Code Injection”)


Using components with known vulnerabilities

Attack Signatures

DAST integration


Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation


Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:

  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object - java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)

A quick run-down thanks to some of our security folks.



Published Nov 29, 2017
Version 1.0

Was this article helpful?

No CommentsBe the first to comment