Forum Discussion

imac_105647's avatar
imac_105647
Icon for Nimbostratus rankNimbostratus
Jan 06, 2010

XML comment triggers an attack signature

Hello,

 

 

Can anyone tell me why a comment in an XML POST is seen as an attack?

 

 

The only thing I've found so far is the use of comments to help generating the correct checksum on signed content.

 

 

 

Here is a sample of the troublesome XML, take out the comment and the problem goes away:

 

 

 

1972-05-01

 

 

Employed

 

 

M

 

false

 

 

 

 

 

This triggers the attack signature:

 

 

Comments (2) 200016001

1 Reply

  • Hi,

     

     

    The Comments 2 attack signature is matching on XML/HTML comments as comments could potentially be used to obfuscate attacks. If your app accepts / requires comments in the XML, you'd want to disable this check either for the entire policy, just one object or a single parameter if the XML is passed in a parameter.

     

     

    If you'd like more details on the logic for including this signature in the attack sigs, you could open a case with F5 Support.

     

     

    Aaron