Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

 

 

Hi everybody,

we are trying to protect Web Services. We implemented Content Profile protection.

When testing, we generate an attack inside a value of a Web service query, for example:

valor
valor ' or 1=1--
4444444

As is supposed, it generates an attack detection.

The problem is that the detection of this attack is done at URL (request) level, and not to a parameter or tag level. I am referring to a xml parameter or tag inside xml content,

If we need to make an exception for this attack, we have to disable the signature globally (for the entire profile).

So, it is possible to do expections at parameter or tag level using Content profiles?

 

Thanks and best regards


13 Answer(s):

Sorry, the Forum erase the format of the example..

I'm attaching an image of it.

Sergio,

If you're on v11.2.x (I'm not sure about other versions) then you can. See: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_xml_profile.html#1060716

Hope this helps,
N

Nathan, thanks for the answer, and sorry for the omission. The version is 11.2.0 HF2.

In the chapter that you sent me, it says how to configure Attack signatures for content profiles. How to attach this content profile to an XML tag or parameter (I am referring to a xml parameter or tag inside xml content)?

I'm asking becasue we need to override some signatures but only for some XML tag or parameters.


Best regards

Sergio,

Do you have the parameter defined? If so you can assign a content profile to it - Parameter Value Type.

You can also assign the profile to a defined URL too.

HTH,
N

Nathan,

That you suggested are web parameters that contains xml contents, instead of an XML parameter or tag inside xml content. I'm looking for overriding signatures in the second thing.

Let me know if I'm wrong (I'm new with ASM and Web Services).

Thanks in advance

Best regards

 

Sergio,

You've got me there I'm afraid. Perhaps a more experienced ASM'er will pick up the post. Be interested to know myself.

Rgds
N
Hi,

if it is a soap web service, you have to do the following:
1. create xml content profile with schema files
2.select the URL - change to advanced settings
3. set all traffic to parse as xml and map the profile
4. inside the content profile, you can disable the AS

Now, if you get an attack, you get "XML data does not comply with schema or WSDL document" or "Attack signature detected".
Now, you can disable the AS @ content profile

regards
Hi Torti, thanks forthe answer.

Yes, it is a SOAP web service.

One more question: if there is no availability of the schema files because the Web services developers does not provide it, is there another vay to do what we need?

Thanks and Best regards
I think, you don't need the schema files for doing what you want. You can safe the profile without it. You have to test it.
But you only get real web service security with the schema files. So, they have to provide the files.
Depending on the server, you can download the schema-files for yourself via the url of the web service. Appending the parameter wsdl should provide the wsdl of the web service (i.e. $webserviceurl?wsdl)

regards
Posted By Torti on 01/11/2013 06:10 AM
I think, you don't need the schema files for doing what you want. You can safe the profile without it. You have to test it.

 

Can you tell me how to configure this?

Thanks and best regards


 

Hi,

I still did explain it in my message @ 10.1. above. You can use the policy builder, too. There you have to select the web service option.
When you create a xml content profile and you don't have the schema files, you only have to save the profile. Thats it.
You can read the documentation @ ask.f5.com, too.
If you don't have any skills in this area, I recommend a workshop by a consultant. They are really helpful.

regards
Thanks for the answer and recommendations.

When you say:

When you create a xml content profile and you don't have the schema files, you only have to save the profile. Thats it.


This have relationship with polcy builder or it is another option?

If it is an option: I have to specify in some place what XML parameter I want to protect. Am I right?

Also, I searched ask.f5.com but nothing seems to be that we are looking for.

Thanks and Best regards

If you don't get the schema files, it is like a normal web application policy and not like an web service policy.
You can map a xml content profile with a parameter, too.
You have to create the parameter, first. Then set it as xml parameter and map the content profile.

But again, you need the schema files for full security. You cannot validate the xml content or structure without it!
regards

Your answer:

You must be logged in to reply. You can login here.