ASM and XSS

Question

We had our website security audited recently with it sitting behind our 6400 with an ASM. The ASM was configured and had been learning for a few months and we turned to finally start blocking attacks and had some XSS attempts get through. We checked our settings and I found that XSS wa addressed and supposedly blocked in our Generic Detection Signatures. At least it's my understanding that these signatures are being used since they are referenced in our Policy Attack Signature Set.  
&nbsp;  
&nbsp; The question we have is, do we need to turn something else on to blick these attacks or does Ziv need to come back out and work on our ASM? 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Ken

hooleylist · Answer

Hi Ken, 
&nbsp;  
&nbsp; I'd send Ziv an email.  I'm sure he'd be happy to help you get started in diagnosing/fixing the issue.   
&nbsp;  
&nbsp; Most of the XSS-related signatures are in the "All Systems" set.  Do you have this set enabled?  Are the signatures out of staging?  Is the policy in blocking mode for 'Attack Signature detected'? 
&nbsp;  
&nbsp; Where in the request is the XSS?  Is it in a parameter value, parameter name, header value, object, etc?  Do you hvae a wildcard object and/or parameter defined?  What is the text of the attack?  Can you post the HTTP headers/body of the attack example? 
&nbsp;  
&nbsp; Aaron

coda6_52611 · Answer

Yeah, I chatted with Ziv yesterday. But we got side tracked with the Oscars and beer.  
&nbsp;  
&nbsp; I'm slowly learning about the staging and how to get items out of staging and into a policy. So I think we got things covered.  
&nbsp;  
&nbsp; One thing I noticed was that the support docs describe a different ASM layout than I have for my ASM. How do I check which version of ASM I am running? Is the same as my LTM version? 
&nbsp;  
&nbsp; Thanks 
&nbsp;  
&nbsp; Ken

ido_breger_3805 · Answer

Yes , it is the same version

kai_3066 · Answer

Hi, 
&nbsp;  
&nbsp; where i can see the description of some Sets like 'Various Systems' , 'All Systems' and so on? 
&nbsp;  
&nbsp; Thanks 
&nbsp; Kai

benjamin_9036 · Answer

Hey albarus, 
&nbsp;  
&nbsp;    You can see which signatures are part of the System-specific sets using the filters when looking at the signatures on your ASM. Try browsing to the ASM UI -&gt; Options -&gt; Attack Signatures and expand the filter here. You can choose to view only signatures that match the sets you are looking for and determine which signatures are contained in a set. =]

Forum Discussion

ASM and XSS

5 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Cross Site Scripting (XSS) Exploit Paths

ASM logs

ASM LOGS

OWASP Mitigation Strategies Part 2: XSS Attacks

File upload and ASM