XML Attack Signatures

Question

Hi,&nbsp;
&nbsp;I am new to this forum and am hoping to get some assistance on XML attack signatures.&nbsp;
&nbsp;We have a standard HTTP POST request that contains an XML message in the body.
&nbsp;The content type is set as application/xml; charset="utf-8".&nbsp;
&nbsp;The attack signature "xml tag (Parameter)" is being triggered on the following XML prolog:&nbsp;
&nbsp;xml version="1.0" encoding="UTF-8"  (The opening/closing angle brackets and question mark are omitted)&nbsp;
&nbsp;This looks like pretty standard XML to me. Anyone help with why this is being triggered?
&nbsp;Do I need to specify an XML profile for the URL?&nbsp;
&nbsp;Any help would be greatly appreciated.&nbsp;
&nbsp;Ken&nbsp;

hooleylist · Answer

Hi Ken, 
&nbsp;  
&nbsp; That attack signature matched any XML tag.  You could either disable that signature or create a custom XML profile and add it for the URI filtering on a content-type of *xml*. 
&nbsp;  
&nbsp; Aaron

ken_49643 · Answer

Thanks Aaron. 
&nbsp;  
&nbsp; I had assumed that since the content type was specified as application/xml the attack signatures wouldn't match on valid XML. 
&nbsp;  
&nbsp; Ken

Forum Discussion

XML Attack Signatures

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

The HTTP/2 CONTINUATION frame attack

Default Attack Signature Sets