BigIP ASM can't block Command Execution Attack

Phu · ‎27-Nov-2020

My BigIP device is running on v16.0.1

I setup an ASM Policy and mapping many Attack Signature Sets included Command Execution.

I try to test with some of testcases. Such as:

https://mydomain.com/product?test= ls /var/log
https://mydomain.com/product?test= pwd
https://mydomain.com/product?test= tail /var/../../config.php

All of testcases are allowed access without blocking.

ASM Policy is blocking mode, All Attack Signature are Enforce (not stagging). I see just only Command Execution is not working, the other Signature Sets are running well.

Simon_Blakely · ‎29-Nov-2020

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

https://mydomain.com/product?test=/bin/ls /var/log
https://mydomain.com/product?test=/sbin/pwd
https://mydomain.com/product?test=`tail /etc/passwd

View solution in original post

Simon_Blakely · ‎29-Nov-2020

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

https://mydomain.com/product?test=/bin/ls /var/log
https://mydomain.com/product?test=/sbin/pwd
https://mydomain.com/product?test=`tail /etc/passwd

Phu · ‎29-Nov-2020

You are right.

Escape character ( ` ) make ASM recognize Command Execution Attack.

Thanks so much.

DevCentral

BigIP ASM can't block Command Execution Attack

Sep 26th, 2023
MFA required on DevCentral

DevCentral

BigIP ASM can't block Command Execution Attack

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral