F5 Rules for AWS WAF
80 TopicsTSPD and Javascript Challenge
Hi DevCentral community! I have a problem with the ASM and Javascript challenge, let me explain you what is happening, what is configured and what I searched :) 1) - I have configured an ASM Policy, on V12.1.2, where DoS protection is disabled, CSRF Protection is disabled and Web Scraping is disabled (this is not decided by me, it's a money thing between boss-client). 2) - Since the ASM was enabled in blocking mode, after 21 days of learning period, a pop-up appears when users try to edit Documents from SharePoint: The URL is https://XXX/TSPD/..... 3) - I read the Proactive Bot defense Guide and the Web Scraping Bot Detetion article also, I 've searched on DevCentral for similar problems Even I read this I'm not sure 100% sure why is happening this issue. Seems, per this question that even if everything is off, challenge can be set. I'm not sure how to solve it, this is what I understood that I have to do: Whiteliste on a LTM policy the resource path (disable the ASM) Whitelist on a LTM policy /TSPD/ and /TSbd/ path (disable the ASM) Check that javascript is enabled on the Browser Disable the caching of dynamic pages by injecting 'Cache-Control: no-cache' Thanks for your time and your help! Regards3.8KViews0likes2CommentsF5 Rules for AWS WAF - CVE-2021-22118 & CVE-2016-1000027
Hello, We're checking in the AWS marketplace for theF5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rulesand want to check if the following CVEs are covered by this rule set? CVE-2021-22118: Local Privilege Escalation within Spring Webflux Multipart Request Handling CVE-2016-1000027:Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Thanks.Solved2.3KViews0likes18CommentsF5 rules for AWS WAF Terraform
Dear, good afternoon I'm implementing the rules of F5 OWSAP10 https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi But I'm working with infrastructure by Terraform code To carry out the implementation I need the correct name of the rule and the correct name of the vendor for implementation and I cannot find this information in the documentation Can you help me? ex: { overrideAction = { type = var.NAME == "BLOCK" ? "NONE" : var.NAME } managedRuleGroupIdentifier = { "vendorName" : "NAME", "managedRuleGroupName" : "NAME" } ruleGroupType = "ManagedRuleGroup" excludeRules = [] }Solved1.8KViews0likes8CommentsHas anyone used F5 rules for AWS WAF?
Hello to All, Has anyone worked with this product and can provide an overview of it and if it is worth it? From what I read and see it is limited and F5 have not addedip intelligencefeed to it like Imperva has done but I could be wrong. AWS Marketplace: Search Results (amazon.com)Solved1.5KViews0likes5CommentsAnalyzing F5 OWASP rule matches
I am seeing lots of requests that match the following rules: rule_XSS_script_tag__Parameter__AllQueryArguments_Body rule_div_tag__behavior__Parameter__AllQueryArguments_Body rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body How can I determine why the requests are matching? #F5 rules for AWS WAF1.5KViews0likes7CommentsF5 OWASP Top Ten Rules, no working NoSQL Injection properly
Hi there, if we do a postman POST request to our Api with the next one body in the request: { "link": { "$ne": null } }, The request is passing using Mentioned rules. How we can solve it? Thanks and have a nice day.Solved1.4KViews0likes10CommentsDoes Spring4Shell impacts on F5 AWS WAF?
Hi F5 community, I'm using these F5 rules for AWS WAF with API Gateway and Application Load Balancer resources. F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) F5 Rules for AWS WAF - API Security Rules How do I know these vulnerabilities are no impact on AWS WAF? or Has it been fixed in the F5 rules? or Do I need to create a custom F5 rules to protect these vulnerabilites? Regards, WorapojSolved1.4KViews0likes4CommentsF5 Rules for AWS WAF - List of CVE
Hello, We're checking in the AWS marketplace for the F5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE) Rules and we can't find the information of which CVE Rules are applied with this subscription. Where can we find the information of which CVEs are covered by this Rule set? When a new High Risk CVE is identified how long it would take to be added in the Rule set list? This information is needed so we can take a decision to use or not the solution, shouldn't this be described somewhere? Thanks in advance.Solved1.2KViews0likes4CommentsDetail of AWS WAF - Web Exploits Rules by F5's Rule
When we upload the Excel file, it is blocked by Web Exploits Rules by F5's Rule. please see below WAFlog. ----------------------------------------------------------------------- {"timestamp":1637571625959, "formatVersion":1, "webaclId":"9e22227d-1fba-4844-a34b-43d35b20b2ae", "terminatingRuleId":"8b270c08-5d30-4940-a5bb-02e74c11b38f", "terminatingRuleType":"GROUP", "action":"BLOCK", "terminatingRuleMatchDetails":[], "httpSourceName":"ALB", "httpSourceId":"XXXXXXXXX-app/XXXXXXXXServer/XXXXXXXXXXXXXXXXXXX", "ruleGroupList":[{"ruleGroupId":"8b270c08-5d30-4940-a5bb-02e74c11b38f", "terminatingRule":{"ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36", "action":"BLOCK", "ruleMatchDetails":null}, "nonTerminatingMatchingRules":[], "excludedRules":null}], "rateBasedRuleList":[], "nonTerminatingMatchingRules":[], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{"clientIp":"XX.XXX.XX.XXX", "country":"JP", "headers":[{"name":"host", "value":"xxxxxxxxxxxxxxxxxxxx.com"}, {"name":"content-length", "value":"512302"}, {"name":"sec-ch-ua", "value":"\"Google Chrome\";v=\"95\", \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\""}, {"name":"accept", "value":"application/json, text/javascript, */*; q=0.01"}, {"name":"content-type", "value":"multipart/form-data; boundary=----WebKitFormBoundaryN8QBl8AUNfmYGqws"}, {"name":"x-requested-with", "value":"XMLHttpRequest"}, {"name":"sec-ch-ua-mobile", "value":"?0"}, {"name":"user-agent", "value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"}, {"name":"sec-ch-ua-platform", "value":"\"Windows\""}, {"name":"origin", "value":"https://xxxxxxxxxxxxxxxxxxxxxxxxx.com "}, {"name":"sec-fetch-site", "value":"same-origin"}, {"name":"sec-fetch-mode", "value":"cors"}, {"name":"sec-fetch-dest", "value":"empty"}, {"name":"referer", "value":"https://xxxxxxxxxxxxxxxxxxxxx.com/xxxxx/xxxxxxx/xxxxxxxxx/xxxx"}, {"name":"accept-encoding ", "value":"gzip, deflate, br"}, {"name":"accept-language", "value":"ja,en-US;q=0.9,en;q=0.8"}, {"name":"cookie", "value":"JSESSIONID=04DE9DEA76FDF48733FE23D7F5029B43; MP_PORTAL_SID=xxxxxxxxxxxxxxx; AWSALBTG=xxxxxx/xxxxxxxx; AWSALBTGCORS=xxxxxxxxx"}], "uri":"/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxx", "args":"", "httpVersion":"HTTP/2.0", "httpMethod":"POST", "requestId":"1-619b5c29-13a199306dd99bbd6753a9c9"}} ----------------------------------------------------------------------- then, When we add "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" to WAF as White list, Excel file is not blocked & uploaded successfully. so, We assume that it blocks Excel file. what is the "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" ? Cloud you let us know the detail of this ruleId? Can we know what is wrong of Excle file? thanks.1KViews0likes3CommentsAWS F5 Managed WAF rules not blocking simple SQL injection
We have subscribed to the "F5 Rules for AWS WAF - API Security Rules". Product page: https://aws.amazon.com/marketplace/pp/B07M948X2H. A Web ACL has been created in our AWS account using this group of rules. It has been then associated to an API published on the Amazon API Gateway. For some reason, even basic SQL injection are not blocked. For instance, a request with a url-encoded string like ' OR '1'='1 (see https://en.wikipedia.org/wiki/SQL_injection) in querystring is not blocked. Switching to a group of rules managed by a competitor (Fortinet) resolved our problem. We are surprised the F5 rules are so permissive. Maybe we are missing something. Any thoughts ? Thank you. Related question: https://devcentral.f5.com/s/feed/0D51T00006i7iONSAY1KViews1like15Comments