Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

Header Based content profile

THE_BLUE
Cirrostratus
Cirrostratus

‎02-Sep-2020 22:52 - last edited on ‎04-Jun-2023 21:18 by Fog

If i have form with 

Content-Type: multipart/form-data; boundary ................

that require file upload , when any file attached it is give attack signature detect. i have tried to add some change under specific url ex:

application security > url > advanced > Header Based content profile >

Request header Name :Content-Type

Request Header Value : *multipart/form-data*

Request Body Handling : Do nothing

so now is there any risk on doing this ? meaning that if there is a real attack it will be blocked or not?

and how f5 intercept the attach file?

Labels:
0 Kudos
7 REPLIES 7

Lidev
MVP
MVP

‎03-Sep-2020 03:24

Hello Blue,

 

Yes there's a risk, it's not recommended not to check the body on request with multipart .

Did you try to set the parameter called during this request in Data type : File upload as in the screenshot below ?

0691T000009iGyvQAE.png

Regards

0 Kudos

THE_BLUE
Cirrostratus
Cirrostratus
In response to Lidev

‎06-Sep-2020 22:45

Hello Lidev,

Yes I did , but the issue still there.

Does ASM inspect the file (pdf,jpg and so on ) ? or what exactly ?

0 Kudos

Lidev
MVP
MVP

‎07-Sep-2020 02:58

Hi BLUE,

 

Yes, ASM does carries out certain checks on file upload : https://support.f5.com/csp/article/K01235989

Can you specify which signature attack is raised and its details ?

 

Regards

0 Kudos

THE_BLUE
Cirrostratus
Cirrostratus
In response to Lidev

‎08-Sep-2020 04:38

 example :

"arp" execution attempt , but no detalis in payload related to files type.

but sometimes i can see in payload pdf , jpg and so on. something like encoding.

 

is there any change i have to apply under attack signature in learning and blocking settings?

how can i understand where ASM detect the attack ?

because sometimes i can not understand (only letters and characters ).

 

do i have to enable attack signature in policy based on server technologies or what ?

 

appreciate your help.

 

 

0 Kudos

Lidev
MVP
MVP

‎08-Sep-2020 05:39

If the violation raised by ASM is "arp execution" it's because ASM has revealed during the analysis of the request certain elements which make it think of a command execution attack.

If you think it's a false positive, you can disable the signature attack on the item (url/parameter) that raised the violation.

 

You cannot see in detail what analysis and performed by the ASM on signature attacks, these elements are protected so that we cannot bypass this security part.

 

Adding the server technologies used by your servers in the ASM policy can indeed at first glance limit false positives

0 Kudos

THE_BLUE
Cirrostratus
Cirrostratus
In response to Lidev

‎08-Sep-2020 10:54

so since "arp execution" is related to linux , and in server technologies linux not there , so i can remove linux attack signture from this policy right?

0 Kudos

Lidev
MVP
MVP

‎09-Sep-2020 00:50

If your backend servers don't use a Linux system, yes it's a good start to not overload the ASM with unnecessary signature attacks.

0 Kudos
Copyright © 2023 Khoros, LLC