How to tuning policy WAF F5 for Command Execution

TsukiAzuma · ‎12-Dec-2022

I have a problem with policy WAF F5

WAF F5 block request when method is POST and payload have "vi" character

But user login, request will block because method POST and "vi" character (in language: vi-en of request)

What can I do to tuning policy for WAF F5 don't block that request

ragunath154 · ‎13-Dec-2022

you can add the language header in the header allow list and disable the signature triggering the vi - command violation only to this header name.

TsukiAzuma · ‎13-Dec-2022

Thank you for your advice

But in request contain many "vi" character. It look like:

POST /login HTTP/1.1\r\nConnection: upgrade\r\nHost: xxx\r\nX-Real-IP: xxx\r\nX-Forwarded-For: xxx, xxx\r\nX-Nginx-Proxy: true\r\nContent-Length: 675\r\ncache-control: max-age=0\r\nupgrade-insecure-requests: 1\r\norigin: xxx\r\ncontent-type: application/x-www-form-urlencoded\r\nuser-agent: Mozilla/5.0 (Linux; U; Android 12; vi-vn; CPH2043 Build/SP1A.210812.016) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.88 Mobile Safari/537.36 HeyTapBrowser/45.9.0.1\r\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nsec-fetch-site: same-origin\r\nsec-fetch-mode: navigate\r\nsec-fetch-user: ?1\r\nsec-fetch-dest: document\r\nreferer: xxx?type=cn\r\naccept-encoding: gzip, deflate, br\r\naccept-language: vi-VN,vi;q=0.9,en-US;q=0.8,en;q=0.7\r\ncookie: xxx

Mohamed_Ahmed_Kansoh · ‎13-Dec-2022

Hi @TsukiAzuma ,
would you please share the violation that F5 WAF produce it against this request.

_______________________
Regards
Mohamed Kansoh

TsukiAzuma · ‎13-Dec-2022

It mean that ?
violations="Illegal meta character in value,Attack signature detected",support_id="6258108010622842152",request_status="blocked",response_code="0",ip_client="xxx",route_domain="0",method="POST",protocol="HTTPS",query_string="",x_forwarded_for_header_value="xxx, xxx",sig_ids="200003086",sig_names="%22vi%22 execution attempt",date_time="2022-12-07 15:32:38",severity="Error",attack_type="Abuse of Functionality,Command Execution",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="d080b92a930b4a2",src_port="xxx",dest_port="xxx",dest_ip="xxx",sub_violations="",virus_name="N/A",violation_rating="2",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",blocking_exception_reason="N/A",captcha_result="not_received",uri="/login"

Mohamed_Ahmed_Kansoh · ‎14-Dec-2022

Hi @TsukiAzuma ,

Try to define the impacted url and its parameters as an explicit entity in allowed urls , after that allow the attack signature that blocks your requests to this url and the same thing with meta characters under this url parameter , allow the meta character that blocks you when this request come to F5.

I will send some snapshot from my lab will help :
1- Create explicit url " /login " with POST method :

> get the attack signature ID and search in " Global security policy setting bar " by this ID and drag it from Right table to Left , by this way you allowed this attack signature under this url only.

2- After that create your parameters that come with this url , in " POST " data and allow the meta character , you can do this by selecting Url Parameters TAB in the last snap shot and proceed :

> After doing that , your Request shoudn’t be blocked.
> Note , I do not know what are your parameters under this requested url , you should know them and able to add this impacted parameter such as last snap shot.

> Read this Article Carefully , it will show you more :
https://support.f5.com/csp/article/K64208044

I hope this helps you.
Regards

_______________________
Regards
Mohamed Kansoh

TsukiAzuma · ‎15-Dec-2022

Thank you.

I will contact with network team and try it

F5_Design_Engineer · ‎15-Dec-2022

Hi @TsukiAzuma ,

1. You must decide which meta characters is allowed for the parameters.

2. If you accept suggestion for wildcard parameters illegal meta characters would be accepted for all parameters but not for particular learned parameters.

3. Allowed: Specifies that the character or meta character can occur in parameter values. Disallowed: Specifies that the character or meta character can not occur in parameter values.

4. This settings came from /Security/Application Security/Parameters/Characters Sets

Do you have any records about violation?

Security ›› Application Security : Policy Building : Violations on Entities : Violations on Parameters

A legitimate parameter value has been blocked due to a disallowed character. This is considered a false positive.

Recommended Actions

To allow a meta character value at the parameter level, go to:

Security >> Application Security : Parameters : Parameters List >> <parameter> >> Value Meta Characters

Alternatively, for all parameters, this may be configured at:

Security >> Application Security : Parameters : Character Sets : Parameter Value

>> Apply your policy

>> Test again

Share your test reults again with me.

refer this link:
K6787: Working with metacharacters in the BIG-IP ASM security policy
https://support.f5.com/csp/article/K6787

https://f5-agility-labs-waf.readthedocs.io/en/latest/class5/module1/lab4/lab4.html

HTH

TsukiAzuma · ‎16-Dec-2022

Thank you for your advice.

I will share test result when network team have report.

DevCentral

How to tuning policy WAF F5 for Command Execution