Forum Discussion

Jonathan_c's avatar
Feb 19, 2023

WAF Attack Signature Level

Hi,

I have a specific URL defined in the ASM Allowed URLs ("/path01/page.aspx" for our example), which has "Check attack signatures" checked.

In the Parameters we have only Wildcard with Ignore Value set.

We found this melicious attempt request wasn't detected:

/path01/page.aspx?a=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&b=UNION+SELECT+ALL+FROM+information_schema+AND+%27+or+SLEEP%285%29+or+%27&c=..%2F..%2F..%2F..%2Fetc%2Fpasswd

which decodes to this:

/path01/page.aspx?a=<script>alert("XSS");</script>&b=UNION SELECT ALL FROM information_schema AND ' or SLEEP(5) or '&c=../../../../etc/passwd

So I understand the melicious code is in the parameter context, so it's not checked due to the wildcard settings. 

But on the other hand, under the specific URL context, there are several "XSS (parameters)" signatures enabled.

Doesn't that mean that under that specific URL it should check for XSS in parameters signatures?

Thanks

3 Replies

  • Hi Jonathan_c,

    It type of attack is normally stoped for the attack signatures, I think you have the attack signatures for this policy in Staging, could you try to review the enforcement readiness period to validate if the signatures are enforced.

  • Hi Sebastiansierra,

    I've double checked and we don't have any attack signature in staging.

    The issue is that I don't understand the order, or precedence, of things - 

    Wildcard parameter setting is set to Ignore Value, but the settings of the specific URL are set to Check Attack Signatures, and there are many attack signatures which relates to the parameters section of the URL (example in screenshot).

    So, is it supposed to be checked or not?

    • Hi Jonathan_c ,

      Do you have the violation enabled in the blocking panel for this specific protection at URL Level? if the configuration is not the problem I recommend you open a support ticket, it could be a specific bug in your version.

      The configuration you have is correct, in ASM and all modules more specific is equal to first processing, wildcard will never be processed if a parameter, URL, File Type, Header, Cookie, etc is first than this,

      Hope it´s work.