cancel
Showing results for 
Search instead for 
Did you mean: 

BigIP ASM can't block Command Execution Attack

Phu
Nimbostratus
Nimbostratus

My BigIP device is running on v16.0.1

I setup an ASM Policy and mapping many Attack Signature Sets included Command Execution.

I try to test with some of testcases. Such as:

  • https://mydomain.com/product?test= ls /var/log
  • https://mydomain.com/product?test= pwd
  • https://mydomain.com/product?test= tail /var/../../config.php

All of testcases are allowed access without blocking.

ASM Policy is blocking mode, All Attack Signature are Enforce (not stagging). I see just only Command Execution is not working, the other Signature Sets are running well.

 

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

 

https://mydomain.com/product?test=/bin/ls /var/log https://mydomain.com/product?test=/sbin/pwd https://mydomain.com/product?test=`tail /etc/passwd

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

 

https://mydomain.com/product?test=/bin/ls /var/log https://mydomain.com/product?test=/sbin/pwd https://mydomain.com/product?test=`tail /etc/passwd

You are right.

Escape character ( ` ) make ASM recognize Command Execution Attack.

Thanks so much.