Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

ASM security policy with Atlassian Confluence

Julie
Altostratus
Altostratus

‎20-Aug-2020 10:24

Has anybody configured an Atlassian Confluence server behind an F5 with ASM security? I find that it's getting LOTS of false positives that I'm hesitant to accept, mostly of the SQL injection variety (i.e. seeing the words "group" and "by" in a posted paragraph and assuming it's a "group by having" attempt). The method Confluence uses to post messages also makes ASM think it's trying to execute commands like at, ll, eval, etc. I can't set this site up for extended learning because the majority of the users will be external and can't be considered "trusted".

 

Any thoughts/recommendations?

Labels:
6 REPLIES 6

Simon_Blakely
F5 Employee
F5 Employee

‎23-Aug-2020 17:49

The first thing to check is to make sure that the correct Content Profile is being applied to the POST - usually either an XML or JSON profile. Once you get this right, many of the inappropriate violations get resolved, because ASM is no longer attempting to process XML/JSON as "FormData" (which is the default).

0 Kudos

Julie
Altostratus
Altostratus
In response to Simon_Blakely

‎24-Aug-2020 07:39

I've made sure that the JSON profile is is first in line, but looking more closely at this, I'm seeing that the problematic POST requests are coming in as

 

Content-Type: text/plain

 

with

 

Accept: application/json, text/javascript, */*; q=0.01

 

I'm assuming this explains why it's not parsing properly? Or should it be recognizing the content as JSON automatically?

0 Kudos

Ivan_Chernenkii
F5 Employee
F5 Employee
In response to Julie

‎24-Aug-2020 13:44

Hello Julie,

 

Could you provide example of failed requests and configuration of "Header-Based Content Profiles" of URL in policy, which this request matches?

 

Thanks, Ivan

0 Kudos

Simon_Blakely
F5 Employee
F5 Employee
In response to Julie

‎24-Aug-2020 14:04

You can just apply a JSON profile to a URL, if all the posts to that URL are going to be JSON (without using Header-Based profile selection).

 

Once the data is being interpreted correctly, the violations should be restricted to the specific parameters that hold text. You can then exclude those parameters from specific Attack signatures without disabling them from the entire policy.

0 Kudos

Julie
Altostratus
Altostratus
In response to Julie

‎24-Aug-2020 16:39

I actually started doing that today, but Confluence is so monolithic, this path will probably be fairly time consuming. I was hoping there was an easier way, but I guess not. Thanks for the input.

0 Kudos

NickAD
Cirrus
Cirrus

‎21-Oct-2020 08:31

Hey Julie, just curioius as I am building a policy for this as well.. did you end up finding any easier way? Or did it really come down to adding the correct URLs with the associated content profiles. The Content-Type headers is more so what I am curious about... the fact that the I'd expect to see application/json but instead it is text/plain is so weird.

Can't find Atlassian docs that explain why the app behaves in that way. Or if there's a case where I'd see POST data using the text/plain header and the body isn't JSON.

0 Kudos
Copyright © 2023 Khoros, LLC