WAF Attack Signature Level
Hi, I have a specific URL defined in the ASM Allowed URLs ("/path01/page.aspx" for our example), which has "Check attack signatures" checked. In the Parameters we have only Wildcard with Ignore Value set. We found this melicious attempt request wasn't detected: /path01/page.aspx?a=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&b=UNION+SELECT+ALL+FROM+information_schema+AND+%27+or+SLEEP%285%29+or+%27&c=..%2F..%2F..%2F..%2Fetc%2Fpasswd which decodes to this: /path01/page.aspx?a=<script>alert("XSS");</script>&b=UNION SELECT ALL FROM information_schema AND ' or SLEEP(5) or '&c=../../../../etc/passwd So I understand the melicious code is in the parameter context, so it's not checked due to the wildcard settings. But on the other hand, under the specific URL context, there are several "XSS (parameters)" signatures enabled. Doesn't that mean that under that specific URL it should check for XSS in parameters signatures? Thanks
ASM don't block XSS
hi all, why the asm don't block this : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>"><script>alert(150)</script>&arguments=-N2019,-A,-N325,-N0" all the XSS signature are enabled and i see in the security logs that there is some XSS attacks that get blocked.
viewing full request on ASM Reporting
Hi, Is there a way to get the full request on ASM Reporting? SOL12044 says default behavior is ASM truncates the request on ASM Reporting. https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12044.html Reason I asked is I am seeing traffic that matches Cross Site Scripting signature but it is not showing the violation details (eg. matching string, etc). Thanks in advance for the assistance.ASM Custom signature set behavior.
Hey Folks, Asking a query after a long. I found a limitation with ASM Custom Signature Set configuration, and I need your expert advise to confirm if my understanding is correct or not. We have got a requirement from a customer to block all Javascript based XSS attacks. (They have external pentesting team, who found that their application is vulnerable to XSS for every javascript events). Using the default ASM signature set, it didn't seem to working with Javascript event based XSS attack, however rest of the attacks were being blocked. To achieve customer's requirement, we designed a custom signature set, contains 39 different signatures for every events For eg. , onChange etc. and put all the signatures into a single signature set in ASM. Surprisingly, only first signature worked and rest 38 didn't. I'd take one signature from the list, and configure another signature set, and put this signature into the new signature set. And it worked. This seems that I must have to create individual signature set for individual signatures. Which I feel tedious and time consuming. Prone to error and increase administrative overhead. Could anyone please confirm if this is normal behavior? Is this a limitation of ASM? Thanks in advance, Darshan