cancel
Showing results for 
Search instead for 
Did you mean: 

ASM and OPSWAT Metadefender Blank Page after file upload

rmoss25
Altostratus
Altostratus

Hi,

I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide.

  • I have configured the ICAP server under  Security > Options > Application Security > Integrated Services > Anti-Virus Protection.
  • I have configured the antivirus block settings under Security > Application Security > Policy Building > Learning and Blocking Settings > Advanced Configuration.
  • I have antivirus scanning for HTTP file uploads and SOAP attachments Security > Application Security > Integrated Services > Anti-Virus Protection.

 

When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following:

 

window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22 Content%2dType%3a%20application%2foctet%2dstream X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a %2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d 200000000";

 

"</script> </APM_DO_NOT_TOUCH> <script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is: 8648386876400468880.</noscript> </head><body> </body></html>"

 

Is there something in the ASM policy that needs to be changed?

 

11 REPLIES 11

websec
Nimbostratus
Nimbostratus

I have the exact same issue, except we're not using Metadefender but a different scanning engine.

A 'virus found' should result in a response page I have configured with a 500 status code with the supportid embedded in json, but instead I get a 200 with this html page and javascript.

Running v15.1.1

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

 

What client do you use to send request?

Do you configure any other protection on your VS except anti-virus protection?

 

According to data in blocking response page ("Please enable JavaScript to view the page content") it seems like you send request form client, which doesn't support JS, while according to your configuration (may be you have Bot profile) it must have it.

Most probably this issue is not related to anti-virus protection by itself.

 

What violations (blockihg reasons) do you get in request log?

 

Thanks, Ivan

websec
Nimbostratus
Nimbostratus

We have a basic web page that allows to attach a file upload, eicar.txt is used in our case. This is posted as a multi-part.

Behaviour is consistent with different browsers: both Chrome and Edge show the same result. Both have javascript enabled in the settings.

There are no additional protections active on the VS: DoS protection and Bot defense are disabled.

The only violation that is showed is the 'Virus found'

Ok, got it. Several more questions to localize the problem:

  1. What version of BIG-IP do you use?
  2. What details are show for "Virus found" violation?
  3. Do you send it as regular post request or as AJAX request?
  4. Do you configure any Device ID functionality like Brute force, Session Awareness, Web Scrapping?

Thanks, Ivan

websec
Nimbostratus
Nimbostratus

0691T00000C13eOQAR.jpgTo answer your questions:

  1. v15.1.1
  2. See image
  3. It's an AJAX request. Here is the full post:

Invoke-WebRequest -Uri "https://www.website.com/api/fdf/form/posttask" `

-Method "POST" `

-Headers @{

"Accept"="application/json, text/javascript, */*; q=0.01"

 "X-DIF-APIKEY"="101D9BEF-F159-4470-BB9C-D6C30AC12F77"

 "X-Requested-With"="XMLHttpRequest"

 "X-DIF-CAT"="asrnl"

 "User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"

 "Origin"="https://www.website.com"

 "Sec-Fetch-Site"="same-origin"

 "Sec-Fetch-Mode"="cors"

 "Sec-Fetch-Dest"="empty"

 "Referer"="https://www.website.com/uploadtest"

 "Accept-Encoding"="gzip, deflate, br"

 "Accept-Language"="en-US,en;q=0.9,nl;q=0.8"

 "Cookie"="CID=AgAAADeLJKEDWTAfH9/3824Y1hU=; _vwo_uuid_v2=D79FABC26D88B00181DA273DE0FA01732|a3af3f7fde6cd39080de5466a00b3dcc; _ga=GA1.2.239643387.1565878568; _vwo_uuid=D50512767714774C8FD6FFC6562EDC54B; adblockerconsent=accept; __utma=129357340.239643387.1565878568.1608811504.1608811504.1; __utmz=129357340.1608811504.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookieconsent=accept; _gid=GA1.2.274112240.1613403340; ASP.NET_SessionId=hwmx0noyheme4rnswzv50id3; nl__api_fdf=rd4o00000000000000000000ffff0a91c064o80; TS010f430c=0153897e825a2d8b6291176f68b75aaf38f80657ede5e3f6bbe9bfa8fd9958326c5f9a67b53a459b1d313fcf0918ec81b2d7b973a4d223de578505ef34c9804e8b7e3ecb06; SC_ANALYTICS_GLOBAL_COOKIE=4f642f1b13ce4ac297873cf1930adca6|True; TS01a8b93c=0153897e82b55b18155e0864755a38a87583565c16b4de3683dc0af8c9810f6079d6fb77930892c6e373d5a82a42a6c3f98f6624de646aeaf24c2d498d24ffa27ce04ecc2c8f60ac56b421840003788a267e11d7ff; TS01931511=0153897e820cbfb068962d6c813f63d0f743dcabce96abc4bc18a75c5a18fad5d4c0149dc659de8455dc119c5a859f6baf598bc370ae8bddfb942aa7b3f7620b9f3f75a56a; OPTOUTMULTI=0:0|c1:1|c4:1; utag_main=v_id:016c95a2c1590021a53a8afa54900306d003606500c48`$_sn:36`$_se:67`$_ss:0`$_st:1613563167708`$dc_visit:14`$recommender_test:1`$ses_id:1613559424231%3Bexp-session`$_pn:16%3Bexp-session"

} `

-ContentType "multipart/form-data; 

boundary=

----WebKitFormBoundaryhaOvsgi1vu8EAy5L

 " `-Body ([System.Text.Encoding]::UTF8.GetBytes("

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 $([char]13)$([char]10)Content-Disposition: form-data; name=`"data`"$([char]13)$([char]10)$([char]13)$([char]10){`"Title`":`"upload_test`",`"Token`":`"f09e16fb-bde7-4d0f-9e91-004830b6c697`",`"FutureVersion`":false,`"LastUpdate`":`"a7d659b8-6ce3-4223-abf8-2879a7290648`",`"Trigger`":`"1_b_Verder`",`"FormInput`":[{`"Key`":`"rResultCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingenCode`",`"Soort`":`"tekst`"},{`"Key`":`"rMeldingen`",`"Soort`":`"tekst`"},{`"Key`":`"1_v_file`",`"Soort`":`"file_upload`",`"Waarde`":`"eicar.txt`"}]}$([char]13)$([char]10)

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 $([char]13)$([char]10)Content-Disposition: form-data; name=`"eicar.txt`"; filename=`"eicar.txt`"$([char]13)$([char]10)Content-Type: text/plain$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)

------WebKitFormBoundaryhaOvsgi1vu8EAy5L

 --$([char]13)$([char]10)"));

 

4 No Brute force or session awareness. Web Scraping is renamed to Bot Defense after v14, we also do not use that

 

thx

Thanks for the info.

Do you have single-page application?

If YES, then you need to enable single_page_application system variable on "Security ›› Options : Application Security : Advanced Configuration : System Variables" page.

Also, most probably, you need to enable Ajax Blocking Behavior in Blocking Response Pages configuration.

Can you try it?

 

Thanks, Ivan

websec
Nimbostratus
Nimbostratus

I think using eicar has raised some flags at our security department. Now my local virusscanner kicks in immediately when I save my testfile, where I had 30 secs before. I'll get back asap when I've found a way to continue testing.

websec
Nimbostratus
Nimbostratus

Hi Ivan,

After making the changes you suggested we have tested again, unfortunately without any change in behavour.

To clarify some more: we don't want a popup to appear, we want that the Blocking Page Default with our custom response body (in json format) is returned in stead of the html/script code that is presented, so that the web page can act on that json code.

Do you still see "TSbd/xxxx?type=5" in your blocking page?

In general, in v 15.1.1, it means, that "client side challenge" functionality is enabled in one of the features in your policy and appropraite client side challenge can not be resolved by client, that is why you see whitepage.

 

Do you see name of detected virus in violation details of "Virus detected" violation?

 

Thaks, Ivan

websec
Nimbostratus
Nimbostratus

We do indeed see ""TSbd/xxxx?type=5" in our response.

The description of the Virus detected is "posttask/upload.txt EICAR Test String 11101 0"

Your suggestion that it has something to do with client side challenge functionality led us to this article:

https://support.f5.com/csp/article/K52300750

This looks very much like the behaviour we are experiencing. Could this be our problem?

Yes, I think you are right. It looks exactly like problem, which you have.