Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

Signature ID is required

Can anyone identify the signature ID's on WAF for the following cases?

 

Cross-Site Scripting: ReflectedCross-Site Scripting vulnerabilities were verified as executing code on the web application. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site.

 

Cross-Site Scripting (Web) Insufficient user input validation in the application allows attackers to inject arbitrary HTML tags (including JavaScript, etc.) to a user’s browser.

 

Cross-Site Scripting (XSS), Persistent The application is vulnerable to Cross-Site Scripting (XSS) attacks. This occurs when web applications do not properly validate user-supplied inputs before including them in dynamic web pages. • By modifying the user-supplied values, Trustwave was able to store special characters and code in the application, which may then be executed by other users. • This type of attack may be used to steal information such as usernames and passwords, sensitive information, remotely control or monitor the victim's browser, or impersonate a web page used to gather order information, including credit card numbers. • An attacker could exploit this vulnerability to store malicious code on a page, which when viewed by another user or administrator in the future would send session information or browser keystrokes to the attacker, allowing them to hijack or spy on the user's session. • This requires little to no interaction between the attacker and the victim, only that the victim visits the page in the application which displays the malicious script. • Please note, that the XSS payload is stored using the normal (RBWeb) account interface but reflected on the mobile site.

 

Web Server Misconfiguration: Unprotected Directory It has been detected a backup directory with (copy) suffix on the target server. It might contain sensitive artifacts such as source code and design documents relevant to the site.

 

Web Server Misconfiguration: Unprotected File It Contain multiple server content including :CSS,images,pdf,html,js,jar,jsp,xml,fonts.

 

3 Replies

  • These look like scan results from Trustwave. Can you import the XML file from the scan into an ASM policy? The vulnerabilities that ASM can mitigate will then be listed. Otherwise, go to Application Security: Attack Signatures, and then filter the Policy Attack Signatures list by "Signature name contains" and enter "XSS", etc. You should get a large list of signature names and their IDs. The two examples at the bottom of your list are not associated with any attack signatures, however.

     

  • This is part of this question and not a separate question as listed: SQL Injection The application does not properly validate user input. It allows a malicious user to conduct an attack aimed at the DB request logic change by means of SQL Injection. As a result, the attacker could interact with an SQL server bypassing the application logic under web application privileges. Unvalidated Forward Some scripts do not properly check an address of the resource to which a request is being forwarded. Thus, an attacker can get access to some resources bypassing application logic, in particular, it’s possible to bypass a web application firewall. Insufficient Protection from Brute Force Attacks An authentication form is not sufficiently protected from credentials guessing attacks. If simple or dictionary combinations are used as users’ credentials, unauthorized access under their accounts becomes possible. Open Redirect Open redirect could allow an attacker to control the user redirection. This vulnerability could be used for implementing of attacks on users of the web application. Clickjacking (UI Redress) Clickjacking is an attack allowing an intruder to use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. An attacker is able to add an invisible iframe to the Customer’s site and obtain data from a victim thinking that information is put into the Customer’s application. Basic Authentication During the Basic Authentication user credentials are transmitted across the network using base64 encoding. Thus, an attacker, who has a possibility to intercept network traffic, can easily recover identifiers and passwords in plain text. validate user-supplied inputs before including them in dynamic web pages. • By modifying the user-supplied data described below, Trustwave was able to inject arbitrary HTML in the application. • Exploiting this issue allows an attacker to define arbitrary client-side code (typically JavaScript) that will ultimately be rendered and executed by the end user's web browser. • This type of attack may be used to steal sensitive information such as usernames and passwords, perform session hijacking, remotely control or monitor the user's browser, or impersonate a web page used to gather order information, including credit card numbers. • As this issue was found to be systemic it carries a high risk rating and not medium. Some examples are included below. validate user-supplied inputs before including them in dynamic web pages. • By modifying the user-supplied values, Trustwave was able to store special characters and code in the application, which may then be executed by other users. • This type of attack may be used to steal information such as usernames and passwords, sensitive information, remotely control or monitor the victim's browser, or impersonate a web page used to gather order information, including credit card numbers. • An attacker could exploit this vulnerability to store malicious code on a page, which when viewed by another user or administrator in the future would send session information or browser keystrokes to the attacker, allowing them to hijack or spy on the user's session. • This requires little to no interaction between the attacker and the victim, only that the victim visits the page in the application which displays the malicious script. • Please note, that the XSS payload is stored using the normal (RBWeb) account interface but reflected on the mobile site. Cross-Frame Scripting can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Cross-Site Scripting: Reflected Cross-Site Scripting vulnerabilities were verified as executing code on the web application. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing anattacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site. Application Content Violation Ecorp user manual available without authorization , this will help the attacker to guess & enumerate the application logic & pages Cross-Site Scripting (XSS), Reflected The application is vulnerable to Cross-Site Scripting (XSS) attacks. This occurs when web applications do not properly Cross-Frame Scripting can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Cross-Site Scripting:Reflected Insufficient user input validation in the application allows attackers to inject arbitrary HTML tags (including JavaScript, etc.) to a user’s browser. Cross-Site Request Forgery Cross-Site Request Forgery is a vulnerability associated with an attack aimed at imitation of a user’s request to a third-party service. The vulnerability appears because the web application does not provide enough authorization checks to verify the source of request. Cross-Site Scripting (XSS), Persistent The application is vulnerable to Cross-Site Scripting (XSS) attacks. This occurs when web applications do not properly Cross-Site Scripting Insufficient user input validation in the application allows attackers to inject arbitrary HTML tags (including JavaScript, etc.) to a user’s browser. A cross-site scripting attack against the application’s clients can be used to obtain user authentication information (like cookies), phishing or malware spreading. Unrestricted File Upload Excessive User Privileges An unprivileged user can forge commands sent to the server. As a result an intruder can access sensitive data by changing access settings for various user groups.
  • You are not likely to get an explicit answer to this question. For one thing, different versions of our code have different signature sets, and for another this list is constantly changing as our developers come out with new signatures to address new vulnerabilities.

     

    Some of these are not defended against by attack signatures, but by properly configuring your ASM. Most of these are defended against by groups of signatures, not just a single signature. I would suggest reviewing the ASM implementation guide. If you need more assistance with setting your ASM up, F5 has professional services that can help you get this configured. We also have Silverline where we will host an ASM for you.

     

    If you have are attempting to achieve a specific end, a more specific question may get you a more specific answer.