Forum Discussion

AlsDevC's avatar
AlsDevC
Icon for Altocumulus rankAltocumulus
May 03, 2023
Solved

Handle False Positive for files upload

Hi folks, 

I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload.

The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature:

Signature ID 200104770
name: JSP Expression Language Expression Injection (3) (Parameter)
attack_type: ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION
matching_info: Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'."

The habit I had on ASM was to disable problematic signatures on this type of URL.

Is there a more relevant way to handle these cases on XC?

Many thanks.

  • Sudhir_Patamsetti's avatar
    Sudhir_Patamsetti
    May 03, 2023

    Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

    Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

6 Replies

Sort By
  • Stephen_Archer's avatar
    Stephen_Archer
    Icon for Employee rankEmployee
    May 03, 2023

    Hi AlsDevC.

    If you look at the Security Events in the Security Dashboard and find the event that you believe to be false-positive, then click the `...` in the `Actions` column:

    You have the option to `Create WAF Exclusion rule`.  This will take you to the 'WAF Exclusion Rules` section of the Load-Balancer configuration, and pre-populate the configuration for you, to disable the signature on the specific URL.  

    Hope that helps. 

     

  • AlsDevC's avatar
    AlsDevC
    Icon for Altocumulus rankAltocumulus
    May 03, 2023

    Stephen,

    Thanks for your quick feedback. Maybe I'm expressing myself badly. I know how to put an exception but I was hoping for another method than putting an exception for each matched signature.

    BR.

     

     

    • Sudhir_Patamsetti's avatar
      Sudhir_Patamsetti
      Icon for Employee rankEmployee
      May 03, 2023

      Can you share the "state" of those signatures , for that security event? You should find that in the information section. Ideally, these signatures should be "autosuppressed" by the "automatic attack signatures tuning" capability

  • AlsDevC's avatar
    AlsDevC
    Icon for Altocumulus rankAltocumulus
    May 03, 2023

    I disabled "automatic attack signatures tuning" because we noticed that it lowered the level of protection against SQL Injection type attacks.
    Am I to understand that this is not a good practice and that it is advisable to leave it enabled to limit the number of false positives?

    • Sudhir_Patamsetti's avatar
      Sudhir_Patamsetti
      Icon for Employee rankEmployee
      May 03, 2023

      Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

      Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

  • AlsDevC's avatar
    AlsDevC
    Icon for Altocumulus rankAltocumulus
    May 04, 2023

    Hi Sudhir, I re-enable the option and my file ipload works correctly, i see the request is triggered by WAF but signatures are in Autosuppressed state. It answer my initial question, thanks. 
    I'll open a case for SQL Injection are passing when I activate the feature. 

    Thanks all.