BigIP ASM can't block Command Execution Attack

Phu · ‎27-Nov-2020

My BigIP device is running on v16.0.1

I setup an ASM Policy and mapping many Attack Signature Sets included Command Execution.

I try to test with some of testcases. Such as:

https://mydomain.com/product?test= ls /var/log
https://mydomain.com/product?test= pwd
https://mydomain.com/product?test= tail /var/../../config.php

All of testcases are allowed access without blocking.

ASM Policy is blocking mode, All Attack Signature are Enforce (not stagging). I see just only Command Execution is not working, the other Signature Sets are running well.

Simon_Blakely · ‎29-Nov-2020

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

https://mydomain.com/product?test=/bin/ls /var/log
https://mydomain.com/product?test=/sbin/pwd
https://mydomain.com/product?test=`tail /etc/passwd

View solution in original post

Simon_Blakely · ‎29-Nov-2020

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

https://mydomain.com/product?test=/bin/ls /var/log
https://mydomain.com/product?test=/sbin/pwd
https://mydomain.com/product?test=`tail /etc/passwd

Phu · ‎29-Nov-2020

You are right.

Escape character ( ` ) make ASM recognize Command Execution Attack.

Thanks so much.

DevCentral

BigIP ASM can't block Command Execution Attack

MFA required on DevCentral