Filter by:
  • Solution
  • Technology

answers

Disabling signatures for web services parameters

Updated 1/9/2013 • Originally posted on 09-Jan-2013 by Sergio Magra 93

 

 

Hi everybody,

we are trying to protect Web Services. We implemented Content Profile protection.

When testing, we generate an attack inside a value of a Web service query, for example:

valor
valor ' or 1=1--
4444444

As is supposed, it generates an attack detection.

The problem is that the detection of this attack is done at URL (request) level, and not to a parameter or tag level. I am referring to a xml parameter or tag inside xml content,

If we need to make an exception for this attack, we have to disable the signature globally (for the entire profile).

So, it is possible to do expections at parameter or tag level using Content profiles?

 

Thanks and best regards

0
Rate this Question

Answers to this Question

13 Answers:

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by Sergio Magra 93

Sorry, the Forum erase the format of the example..

I'm attaching an image of it.

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by nathan 5172
Sergio,

If you're on v11.2.x (I'm not sure about other versions) then you can. See: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_xml_profile.html#1060716

Hope this helps,
N
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by Sergio Magra 93

Nathan, thanks for the answer, and sorry for the omission. The version is 11.2.0 HF2.

In the chapter that you sent me, it says how to configure Attack signatures for content profiles. How to attach this content profile to an XML tag or parameter (I am referring to a xml parameter or tag inside xml content)?

I'm asking becasue we need to override some signatures but only for some XML tag or parameters.


Best regards

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by nathan 5172
Sergio,

Do you have the parameter defined? If so you can assign a content profile to it - Parameter Value Type.

You can also assign the profile to a defined URL too.

HTH,
N
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by Sergio Magra 93

Nathan,

That you suggested are web parameters that contains xml contents, instead of an XML parameter or tag inside xml content. I'm looking for overriding signatures in the second thing.

Let me know if I'm wrong (I'm new with ASM and Web Services).

Thanks in advance

Best regards

 

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jan-2013 • Originally posted on 09-Jan-2013 by nathan 5172
Sergio,

You've got me there I'm afraid. Perhaps a more experienced ASM'er will pick up the post. Be interested to know myself.

Rgds
N
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 10-Jan-2013 • Originally posted on 10-Jan-2013 by Torti 716
Hi,

if it is a soap web service, you have to do the following:
1. create xml content profile with schema files
2.select the URL - change to advanced settings
3. set all traffic to parse as xml and map the profile
4. inside the content profile, you can disable the AS

Now, if you get an attack, you get "XML data does not comply with schema or WSDL document" or "Attack signature detected".
Now, you can disable the AS @ content profile

regards
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 11-Jan-2013 • Originally posted on 11-Jan-2013 by Sergio Magra 93
Hi Torti, thanks forthe answer.

Yes, it is a SOAP web service.

One more question: if there is no availability of the schema files because the Web services developers does not provide it, is there another vay to do what we need?

Thanks and Best regards
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 11-Jan-2013 • Originally posted on 11-Jan-2013 by Torti 716
I think, you don't need the schema files for doing what you want. You can safe the profile without it. You have to test it.
But you only get real web service security with the schema files. So, they have to provide the files.
Depending on the server, you can download the schema-files for yourself via the url of the web service. Appending the parameter wsdl should provide the wsdl of the web service (i.e. $webserviceurl?wsdl)

regards
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 11-Jan-2013 • Originally posted on 11-Jan-2013 by Sergio Magra 93
Posted By Torti on 01/11/2013 06:10 AM
I think, you don't need the schema files for doing what you want. You can safe the profile without it. You have to test it.

 

Can you tell me how to configure this?

Thanks and best regards


 

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 14-Jan-2013 • Originally posted on 14-Jan-2013 by Torti 716
Hi,

I still did explain it in my message @ 10.1. above. You can use the policy builder, too. There you have to select the web service option.
When you create a xml content profile and you don't have the schema files, you only have to save the profile. Thats it.
You can read the documentation @ ask.f5.com, too.
If you don't have any skills in this area, I recommend a workshop by a consultant. They are really helpful.

regards
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 06-Feb-2013 • Originally posted on 06-Feb-2013 by Sergio Magra 93
Thanks for the answer and recommendations.

When you say:

When you create a xml content profile and you don't have the schema files, you only have to save the profile. Thats it.


This have relationship with polcy builder or it is another option?

If it is an option: I have to specify in some place what XML parameter I want to protect. Am I right?

Also, I searched ask.f5.com but nothing seems to be that we are looking for.

Thanks and Best regards

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 07-Feb-2013 • Originally posted on 07-Feb-2013 by Torti 716
If you don't get the schema files, it is like a normal web application policy and not like an web service policy.
You can map a xml content profile with a parameter, too.
You have to create the parameter, first. Then set it as xml parameter and map the content profile.

But again, you need the schema files for full security. You cannot validate the xml content or structure without it!
regards
;