ASM Attack signatures on URL/parameter

Question

Hi,&nbsp;
I am trying to figure out violation logging when both URL and parameter is involved. Tested on 13.1.0.8&nbsp;
Request:&nbsp;
Post to URL: /post1Parameter in form (request body): parameter1Policy in TransparentParameters on URL levelEncoded XSS string in parameter1
Depending on staging setting results are like that:&nbsp;
URL staging: DisabledParameter staging: Enabled
Request reported in Event log:
Status: LegalViolation rating: 4Violations detected: Illegal meta character in value, Attack signature detected

And second setting:&nbsp;
URL staging: EnabledParameter staging: Disabled
Request reported in Event log:
Status: IllegalViolation rating: 4Violations detected: Illegal meta character in value, Attack signature detected

Above suggest that violation detection is only performed on parameters.&nbsp;
Still it is a bit misleading that for first staging setup violation is detected in exactly the same way as for second but request is reported as Legal.&nbsp;
Now Attack signature settings changed (both URL and parameter with staging disabled)&nbsp;
Check attack signatures on this URL: DisabledCheck attack signatures on this parameter: Enabled
Request reported in Event log:
Status: IllegalViolation detected: Illegal meta character in value

And second setting:&nbsp;
Check attack signatures on this URL: EnabledCheck attack signatures on this parameter: Disabled
Request reported in Event log:
Status: IllegalViolation detected: Illegal meta character in value

From previous test it looked like only parameter signatures cause request to be reported as Illegal, but from above it seems that Attack signatures has to be checked on both URL and parameter to trigger Attack signature detected.&nbsp;
Results are quite confusing here.&nbsp;
I would expect results like that:&nbsp;
No matter if staging is disabled both request should be listed as IllegalIf only parameter Attack signatures are causing request to be Illegal then disabling Attack signatures on URL should still trigger Attack signatures violation.
How Event Log entry for request with:&nbsp;
Status: LegalViolation rating: 4
should be interpreted in compare to one where status is Illegal?&nbsp;
Piotr &nbsp;

nathe · Answer

Piotr,&nbsp;
A violation on an object that is in Staging has always been classed as Legal...perhaps not an intuitive way of doing things, but been the ASM way and something I've had to remember over the years. Essentially Staging is monitoring the object for its properties so, I suppose, ASM can't judge whether (in your case) the metacharacter is required, or in the case of a file type the query length it sees is correct, so its classed by default as Legal.&nbsp;
So, your initial two tests are as I would expect. And illegal meta character in value is a parameter only check, as per the Blocking Settings.&nbsp;
The second test is odd as there no longer appears to be an "attack signature detected" violation. &nbsp;
I suspect if you add the metacharacters on the parameter i.e. make them allowed, and ran the same tests the "attack signature detected" violation would occur.&nbsp;
Hopefully.&nbsp;
N&nbsp;

Forum Discussion

ASM Attack signatures on URL/parameter

1 Reply

Recent Discussions

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

Default Attack Signature Sets

Attack Signature False Positive Mode