Forum Discussion

sbobic_232506's avatar
sbobic_232506
Icon for Nimbostratus rankNimbostratus
Dec 15, 2015

Policy error after manualy adding rules to results from security scanner

  1. I scan the vulnerable application(DVWA) using IBM Appscan vulnerability scanner.

Create a security policy using third party vulnerability assessment tool output Application Language: UTF-8 Enforcement Mode: Blocking Security policy is case sensitive: ENABLED Differentiate between HTTP and HTTPS: ENABLED

 

Vulnerability Assessments Settings Learning mode: AUTOMATIC - Exceptions for the scanner's IP address are not set

 

I then import the scan result XML file that looks like this:

 

 

[1] My first question is, what is the practical difference between RESOLVE and RESOLVE AND STAGE option?

 

For the demonstration purposes, I will just RESOLVE SQL injection vulnerabilities.

 

Now when I try to exploit vulnerable form, I will get an error: ""The requested URL was rejected. Please consult with your administrator.

 

Your support ID is: 13038689552880322710"

 

This all works. If I just put a single quote(') into form field, the app will still generate: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"

 

My problem starts here since I don't want this error to show. Instead, I wish to reject URL like when using full exploitation string. So I : - go into Security ›› Application Security : Parameters : Parameters List - click on ID parameter - Now, as seen on picture below, I try to mitigate it through one of the 2 ways: 1. I set data type to INTEGER -> from my understanding, this should allow only integers to be inputted into ID field, or otherwise show error page or whatever? 2. I disallow Meta Character 0x27(single quote)

 

 

Let's try with setting 1. option(Applying integer to ID parameter) - Once I go back a step, to Security ›› Application Security : URLs : Allowed URLs I get a notice to apply policy. So, just doing UPDATE in previous step wasn't enough.

 

Once I apply settings, I get validation errors as seen on picture:

 

 

Now, when I go to vulnerable application and try the full exploitation string, it will be successfully as if no policy was ever set. In other words, WAF will stop working. Not to mention that single-quote is still not blocked. Even though WAF successfully blocked it the first time I imported XML scan results and mitigated SQL injection.

 

I have no idea why is F5 behaving like this or where my error is. The same issue will appear if I try to disallow single quote on the specified parameter as well.

 

I do have other question, like how to prevent stored XSS bug and file upload vulnerabilities that are not offered to be automatically mitigated, but I will leave it for another thread.

 

1 Reply

  • There is some kind of error in this portal, so I can't edit my post. I have uploaded the wrong picture 1(imported scanner results), so here it is: