Forum Discussion

Nguyen_Viet_Dun's avatar
Nguyen_Viet_Dun
Icon for Nimbostratus rankNimbostratus
Jul 18, 2018

F5 ASM Signature Could Not detect XSS Attack

We detect XSS Attack to Webserver. But F5 ASM could not detect with Eval command exectute

 

/AAAA?category=all&text=*/1:eval.call(0,atob(%27YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=%27))})//

 

/AAA?category=all&text=*/1:eval.call(0,atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))%7D)//

 

/AAA?category=all&text=*/1:eval.call(0,atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='))})//

 

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    I note there are 13 attack signatures containing the "eval" string, do you have them all assigned to your policy and not in Staging mode?

     

  • Marking this as answered as the issue was raised as an SR with F5 Networks Support and addressed in a subsequent ASU release.

    It is recommended to update the Attack Signatures on an ASM/Advanced WAF device when new releases come available for up to date protection and enhancements in detection methods.

    From 13.1.0.4 ASM with updated Attack Signatures (Update: v13.1.0/ASM-SignatureFile_20190114_163855):

    Detected Keyword    
    text=*/1:eval.call(0,atob(YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=))})//
    Attack Signature    
    Signature ID
    200001324
    
    Signature Name
     eval() (Parameter)
    
    Context Parameter (detected in Query String)
    Parameter Level Global
    Actual Parameter Name   text
    Wildcard Parameter Name *
    Parameter Value */1:eval.call(0,atob(YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=))})//