Nimbostratus
Wouldn't an Irule that replaces html tags < /> etc. be a natural fit?
I am going to try and write one I was just wondering if I am way off base here.
Don
Nimbostratus
One of our clients has been dinged by its auditing department for XSS vulnerabilities. The audit recommends:
"Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers."
It's been 5 years since this original message was posted. Are there new CodeShare additions that address this requirement?
Thanks a bunch,
Bill
Cirrostratus
I don't think it's practical to implement full XSS detection in an iRule. You could try, but I think you'd always be a few steps behind attackers. iRules don't current provide native methods for handling all of the encoding methods that an attacker could use. Not to give you a sales pitch, but F5 offers the ASM web app firewall. It does provide very complete XSS protection along with a lot of other positive and negative validations for SQL injection, bots, etc. And there are plenty of competitors you could check out as well.
Aaron
Nimbostratus
What you're saying makes good sense. It's time for me to check out the ASM module.
Bill
