Forum Discussion

Ashish_205344's avatar
Ashish_205344
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

Risk excepting "xml data does not comply with schema or wsdl document"

I have setup a XML Profile and getting some requests blocked due to "xml data does not comply with schema or wsdl document", after analysing the requests if my SOAPAction header is blank the request is blocked while if that comes as a URL it works. The W3S specification The header field value of empty string ("") means that the intent of the SOAP message is provided by the HTTP Request-URI. No value means that there is no indication of the intent of the message. so I believe F5 should be respecting all the possible values here but in reality its not. I can add exception in violation settings but not sure of the risk occurred. Can any one please help here.

 

1 Reply

  • Adding exception means that you can miss an attack. If you believe that the culprit is the empty SOAPAction header then it might make sense to remove it with an iRule if it is empty before the request hits the ASM policy.

     

    The empty SOAPAction header is a bit of a grey area really coming form a 17-year-old spec dated year 2000 while the HTTP spec from 1999 says that each header must have a value...

     

    You may have hit an interesting case, I suggest that you raise a support case with F5 with examples of ASM behaviour you are observing with SOAPAction being empty, having two sets of double-quotes and the action as value.