TSPD and Javascript Challenge
Hi DevCentral community! I have a problem with the ASM and Javascript challenge, let me explain you what is happening, what is configured and what I searched :) 1) - I have configured an ASM Policy, on V12.1.2, where DoS protection is disabled, CSRF Protection is disabled and Web Scraping is disabled (this is not decided by me, it's a money thing between boss-client). 2) - Since the ASM was enabled in blocking mode, after 21 days of learning period, a pop-up appears when users try to edit Documents from SharePoint: The URL is https://XXX/TSPD/..... 3) - I read the Proactive Bot defense Guide and the Web Scraping Bot Detetion article also, I 've searched on DevCentral for similar problems Even I read this I'm not sure 100% sure why is happening this issue. Seems, per this question that even if everything is off, challenge can be set. I'm not sure how to solve it, this is what I understood that I have to do: Whiteliste on a LTM policy the resource path (disable the ASM) Whitelist on a LTM policy /TSPD/ and /TSbd/ path (disable the ASM) Check that javascript is enabled on the Browser Disable the caching of dynamic pages by injecting 'Cache-Control: no-cache' Thanks for your time and your help! Regards
F5 Rules for AWS WAF - Rule ID to Attack Type Reference
F5 offers security solutions for AWS customers who use the platform's hosting and load balancing services along with the AWS WAF offering. F5 Rules for AWS WAF - Web exploits OWASP RulesF5 Rules for AWS WAF - Bot Protection RulesF5 Rules for AWS WAF - Common Vulnerabilities and Exposures (CVE)F5 Rules for AWS WAF - API Security Rules With the recent addition of logging capabilities of requests that had a match with one of the rule sets, there is now an option to: See the full request that had a match with the rule ID. Understand the attack type that relates to the rule ID. Remove specific rule ID from the rule set in the case it generates false positives. The following CSV maps between rule IDs and attack types, and will help customers of the F5 Rules for AWS WAF products to better manage rule exclusions in their Access Lists. For more details on AWS-WAF logging configuration please visit:https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
Analyzing F5 OWASP rule matches
I am seeing lots of requests that match the following rules: rule_XSS_script_tag__Parameter__AllQueryArguments_Body rule_div_tag__behavior__Parameter__AllQueryArguments_Body rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body How can I determine why the requests are matching? #F5 rules for AWS WAF
Detail of AWS WAF - Web Exploits Rules by F5's Rule
When we upload the Excel file, it is blocked by Web Exploits Rules by F5's Rule. please see below WAFlog. ----------------------------------------------------------------------- {"timestamp":1637571625959, "formatVersion":1, "webaclId":"9e22227d-1fba-4844-a34b-43d35b20b2ae", "terminatingRuleId":"8b270c08-5d30-4940-a5bb-02e74c11b38f", "terminatingRuleType":"GROUP", "action":"BLOCK", "terminatingRuleMatchDetails":[], "httpSourceName":"ALB", "httpSourceId":"XXXXXXXXX-app/XXXXXXXXServer/XXXXXXXXXXXXXXXXXXX", "ruleGroupList":[{"ruleGroupId":"8b270c08-5d30-4940-a5bb-02e74c11b38f", "terminatingRule":{"ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36", "action":"BLOCK", "ruleMatchDetails":null}, "nonTerminatingMatchingRules":[], "excludedRules":null}], "rateBasedRuleList":[], "nonTerminatingMatchingRules":[], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{"clientIp":"XX.XXX.XX.XXX", "country":"JP", "headers":[{"name":"host", "value":"xxxxxxxxxxxxxxxxxxxx.com"}, {"name":"content-length", "value":"512302"}, {"name":"sec-ch-ua", "value":"\"Google Chrome\";v=\"95\", \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\""}, {"name":"accept", "value":"application/json, text/javascript, */*; q=0.01"}, {"name":"content-type", "value":"multipart/form-data; boundary=----WebKitFormBoundaryN8QBl8AUNfmYGqws"}, {"name":"x-requested-with", "value":"XMLHttpRequest"}, {"name":"sec-ch-ua-mobile", "value":"?0"}, {"name":"user-agent", "value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"}, {"name":"sec-ch-ua-platform", "value":"\"Windows\""}, {"name":"origin", "value":"https://xxxxxxxxxxxxxxxxxxxxxxxxx.com "}, {"name":"sec-fetch-site", "value":"same-origin"}, {"name":"sec-fetch-mode", "value":"cors"}, {"name":"sec-fetch-dest", "value":"empty"}, {"name":"referer", "value":"https://xxxxxxxxxxxxxxxxxxxxx.com/xxxxx/xxxxxxx/xxxxxxxxx/xxxx"}, {"name":"accept-encoding ", "value":"gzip, deflate, br"}, {"name":"accept-language", "value":"ja,en-US;q=0.9,en;q=0.8"}, {"name":"cookie", "value":"JSESSIONID=04DE9DEA76FDF48733FE23D7F5029B43; MP_PORTAL_SID=xxxxxxxxxxxxxxx; AWSALBTG=xxxxxx/xxxxxxxx; AWSALBTGCORS=xxxxxxxxx"}], "uri":"/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxx", "args":"", "httpVersion":"HTTP/2.0", "httpMethod":"POST", "requestId":"1-619b5c29-13a199306dd99bbd6753a9c9"}} ----------------------------------------------------------------------- then, When we add "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" to WAF as White list, Excel file is not blocked & uploaded successfully. so, We assume that it blocks Excel file. what is the "ruleId":"c0ae2d87-48f1-4813-9e91-3e723f8d7b36" ? Cloud you let us know the detail of this ruleId? Can we know what is wrong of Excle file? thanks.
