Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

F5 OWASP Top Ten Rules, no working NoSQL Injection properly

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎22-Dec-2021 03:22

Hi there, if we do a postman POST request to our Api with the next one body in the request:

 

{

"link": {

"$ne": null

}

},

 

The request is passing using Mentioned rules.

 

How we can solve it?

 

Thanks and have a nice day.

 

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee

‎13-Jan-2022 16:44

Hi Oscar77,

OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result

Thanks

Mohamedfaizur

View solution in original post

0 Kudos

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee
In response to Oscar77

‎19-Jan-2022 23:54

Hi,

The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.

Thanks

Mohamedfaizur

 

View solution in original post

0 Kudos
10 REPLIES 10

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎23-Dec-2021 06:54

is there another way to obtain "official" support?

 

We need to fix this, plz

0 Kudos

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎30-Dec-2021 23:35

Nodoby help?

0 Kudos

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee

‎01-Jan-2022 19:04

Hi,

Please send us the full details of the attack test that was not blocked, including sample request. We will analyze the attack test against F5 rule sets to determine the root cause and proposed solution.

Thanks

0 Kudos

Go to solution
Oscar77
Nimbostratus
Nimbostratus
In response to Mohamedfaizur

‎03-Jan-2022 00:42 - last edited on ‎21-Nov-2022 11:58 by Fog 

curl --location --request POST 'URL' \
--header 'token: TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
      "link": {
        "$gt": null
      }
    }'

This is my Backend response running curl:

 

{"error":"NoSqlInjectionError","message":"Invalid request","code":0}

But in AWS insights we can see the WAF cannot stop the request, see the >>>> ALLOW <<<<

 

Field	Value
@ingestionTime	
1641197043827
@log	
AWSACCOUNT:LOG
@logStream	
LOGSTREAM
@message	
message
@timestamp	
1641196768228
action	
>>>> ALLOW <<<<
formatVersion	
1
httpRequest.clientIp	
XXX.XXX.XXX.XXX
httpRequest.country	
ES
httpRequest.headers.0.name	
host
httpRequest.headers.0.value	
XXX.XXX.XX
httpRequest.headers.1.name	
user-agent
httpRequest.headers.1.value	
curl/7.77.0
httpRequest.headers.2.name	
accept
httpRequest.headers.2.value	
*/*
httpRequest.headers.3.name	
HEADER
httpRequest.headers.3.value	
TOKENVALUE
httpRequest.headers.4.name	
content-type
httpRequest.headers.4.value	
application/json
httpRequest.headers.5.name	
content-length
httpRequest.headers.5.value	
51
httpRequest.httpMethod	
POST
httpRequest.httpVersion	
HTTP/2.0
httpRequest.requestId	
REQUEST_ID
httpRequest.uri	
URI
httpSourceId	
ALB
httpSourceName	
ALB
ruleGroupList.0.ruleGroupId	
F5#OWASP_Managed
ruleGroupList.1.ruleGroupId	
F5#Bots_Managed
ruleGroupList.2.ruleGroupId	
AWS#AWSManagedRulesAmazonIpReputationList
terminatingRuleId	
Default_Action
terminatingRuleType	
REGULAR
timestamp	
1641196768228
webaclId	
WEBACL

If you need more info, just say to us please, tnx for your response, i wish you nice day.

0 Kudos

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎10-Jan-2022 00:27

Any advance of this?

0 Kudos

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎12-Jan-2022 04:00

Hi,

 

We are thinking about to stop using F5 rules in all of multiple environments, because we are worried about a poorly fast support from F5, is a pitty because we loved to use it, but is useless if we cannot obtain support if we need it.

0 Kudos

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee
In response to Oscar77

‎12-Jan-2022 04:40

Hi Oscar77,

Sorry for late reply. I am working with backend team. I will update asap

Thanks

Mohamedfaizur

0 Kudos

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee

‎13-Jan-2022 16:44

Hi Oscar77,

OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result

Thanks

Mohamedfaizur

0 Kudos

Go to solution
Oscar77
Nimbostratus
Nimbostratus

‎17-Jan-2022 02:58

Seems to be working. Really tnx.

 

Would be nice if we can know what type of attacks can recognize this new NoSQL rules please.

 

Awaiting your response, and tnx again for the help

0 Kudos

Go to solution
Mohamedfaizur
F5 Employee
F5 Employee
In response to Oscar77

‎19-Jan-2022 23:54

Hi,

The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.

Thanks

Mohamedfaizur

 

0 Kudos
Copyright © 2023 Khoros, LLC