Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Does F5 has any feature of anti-tampering web content?

Hi Folks,

I am not sure if any of F5 modules is capable of blocking web content tampering? For example if a hacker injects a piece of malicious JS within a server response? Will F5 has any feature to check the server response and find out that malicious JS, or link pointing to some bad reputation host?

I understand WAF is usually to protect the web server before any nasty things really happen... but irule/iruleLX is always so powerful to resolve many of impossibilities :)

I think what bigip needs to do is to:

  1. learn the server response
  2. If any new link/JS found, check its hostname/behavior/md5 to either local db or 3rd party file reputation service, such as virustotal and then got a result
  3. bigip block/allow the server response based on step#2

Thanks for any advice!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

First of all - how do you think the hackers are going to inject a malicious script into the responses of the Server (which is behind F5 WAF)? Most attacks happen over the web using Cross-Site-Scripting attack (XSS) or SQL injection attack (SQLi). F5 ASM as a WAF can identify and block the malicious script injection attempt as it will be a Request.

There are ways to inject malicious scripts using man-in-the-browser/client-side malware or 3rd-party JavaScript already included in server responses being compromised. In such cases F5 WebSafe module can help.

0
Comments on this Answer
Comment made 2 months ago by zack 60

Thanks for the response.

" how do you think the hackers are going to inject a malicious script into the responses of the Server (which is behind F5 WAF)? "

Let's say the hacker take down the web server via internal network or sth like that. The "inject" is not accurate but does ASM has the capability to detect any malicious code or link in the response? I can see some attack signatures will check server response. Any other feature may do that as well?

0
Comment made 2 months ago by samstep 1923

Yes, the Fraud Protection Service (FPS) feature. It has Malware JavaScript signatures and External Script Injection protection

0