Forum Discussion

Joachim_Roessne's avatar
Joachim_Roessne
Icon for Nimbostratus rankNimbostratus
Oct 27, 2015

ASM: Disable violations for a certain URL

Hi All,

i have a ASM security policy for Sharepoint (it was created from someone else). Unfortunately, there is a site in Sharepoint for pentester. A discussion board and so on... As you can imagine, the ASM is going crazy for all the discussions and uploads around common security leaks.

My thought was, that i create a wildcard URL like

/sites/pentest/*

and as Request Body Handling "Do Nothing" But that doesn't work at all. ASM is still complaining. For example in a request like this: 

GET /sites/pentest/Lists/Discussion%20Board/'';!--XSS=
The ASM throws a "Illegal meta character in parameter name" violation.

Is there a way to allow any content for a specific URL. Or maybe an other approach to handle this ?

Thanks and regards, Joachim

ASM Advanced WAF
security

7 Replies

Sort By
  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Oct 27, 2015

    if you know the IP address of the source, whitelist the address and it will bypass the ASM signature match.

     

    -Jinshu

     

  • Joachim_Roessne's avatar
    Joachim_Roessne
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    There are severall pentesters around. I don't recognize if a new member to the site is added. I would always have to manage this whitelist. I would prefer a more comfortable way :-)

     

    Joachim

     

  • Joachim_Roessne's avatar
    Joachim_Roessne
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2015

    This one is driving me crazy. I can't figure out how to tell ASM to not inspect Request that belong to /sites/pentest/*

    It is still complaining with Requests like 

    /sites/pentest/lists/discussion0x20board/style0x20type=textcssbodybackgroundurl(javascriptalert('xss'))style
    Of course it detects Attack signtature on that URL. But how to allow that for a certain URL ?

    Any suggestions? Maybe the only way is to disable ASM by iRule when a request for /sites/pentest arrives. But thats not a good solution.

    - Joachim

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 29, 2015

    Joachim,

     

    My view would be to create a separate ASM policy for the pentest site and then use a Local Traffic Policy or iRule to point traffic to /sites/pentest to the new ASM policy. This policy can be amended without compromising the other areas of your website.

     

    Hope this helps,

     

    N

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Oct 29, 2015

    Hi Joachim,

    Try using below irule for bypass the ASM. Let me know if this helps.

    when HTTP_CLASS_SELECTED { 
ASM::enable 
if { [HTTP::uri] starts_with "/sites/pentest/" } { 
ASM::disable 
} 
}

    -Jinshu

  • Dan_L1's avatar
    Dan_L1
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2015

    You can also use policies.

     

    Local Traffic > Policies > asm_l7_policy_whatever.website.com > under Rules click on Add, give it a name, like policy_whitelist, operand: http-uri (leave rest of fields default) > condition: choose equals/contains/etc, value = your URI, click add, then click the Add further down where operand/event/etc is located.

     

    In the Actions area, target > asm, action > disable. Click Add where target/event/etc are. and Finished.

     

    Then once back at the main policy page, do a re-order and move the policy_whitelist you created above default, so it will disable on the URI string prior to hitting the default ASM enable.. once you done this once or twice, pretty simple and can be used a lot.

     

    The above iRule by Jinshu also works (does the same thing).

     

  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Oct 29, 2015

    Hi Dan,

     

    tried your method for a different scenario, but it works great. Never played around with this section, but seems to be very powerful and useful as well.

     

    Thank you!

     

    Ciao Stefan :)