Recently a new ASM signature update was released including more than 40 new signatures all with the same criteria: “SQL information leakage”.

The obvious objective of using response signatures is to detect and block all sensitive information that returns from the application that may be used by an attacker to steal sensitive information, extend the exploit, and to learn more about application infrastructure. In other words, “use it and abuse it”.

While this reason is important enough, there are also other reasons for ASM administrators to activate these signatures. Response signatures can help an application administrator detect vulnerabilities in his application even when the application is not under attack.

Let’s say you have a validation flaw in your application that was never detected as part of the development life cycle, and the result of this validation flow is that the SQL server returns an SQL error that is injected unseeingly to the return HTML page. As strange as it sounds this scenario is common to many web applications. Since the error is not visually displayable to the end users, this vulnerability will remain as is, waiting to be exploited…

Tracking response signature matching in staging and production environments will improve the quality of the web application, and in the long term will solve potential security threats.

An example for such information leakage can be found in the page below, where you can see that wrong user input in the parameter CASELIST with the value 12333’ results in the SQL error: “Unclosed quotation mark after the character string”. This leakage also contains information on the server name, SQL username and SQL query, giving the attacker information that is priceless for leveraging the attack.


SQL error

Web Application firewalls, such as BIG-IP ASM, can be used in varies ways. Activating it for response signature matching can bring more value to the application administrator. One needs to remember that activating this functionality may require more system resources, therefore it should be done carefully.