The OWASP Top 10 - 2017 vs. BIG-IP ASM
With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.
First, here's how the 2013 edition compares to 2017.
And how BIG-IP ASM mitigates the vulnerabilities.
|
Vulnerability |
BIG-IP ASM Controls | |
|
A1 |
Injection Flaws |
Attack signatures Meta character restrictions Parameter value length restrictions |
|
A2 |
Broken Authentication and Session Management |
Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection |
|
A3 |
Sensitive Data Exposure |
Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”) |
|
A4 |
XML External Entities (XXE) |
Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection) |
|
A5 |
Broken Access Control |
File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”) |
|
A6 |
Security Misconfiguration |
Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement |
|
A7 |
Cross-site Scripting (XSS) |
Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) |
|
A8 |
Insecure Deserialization |
Attack Signatures (“Server Side Code Injection”) |
|
A9 |
Using components with known vulnerabilities |
Attack Signatures DAST integration |
|
A10 |
Insufficient Logging and Monitoring |
Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation |
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
- 200018018 External entity injection attempt
- 200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:
- 200004188 PHP object serialization injection attempt (Parameter)
- 200003425 Java Base64 serialized object - java/lang/Runtime (Parameter)
- 200004282 Node.js Serialized Object Remote Code Execution (Parameter)
A quick run-down thanks to some of our security folks.
ps
Related:
Published Nov 29, 2017
Version 1.0
No CommentsBe the first to comment