Can I allow Buffer Overflow attack signatures in just an XML request?

Question

The website has an upload page where people can submit receipts. The request looks like this:
4AAQSkD6RXhpZgAuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....

We have determined that the "A"s represent the white space in the image and since it is a receipt, a large area of it is white, but this is throwing the Generic buffer overflow attempt 1 attack signature due to the large sequence of "A"s. The question is if there is a way to just turn off this signature for this URI. Since the overflow false positive is in the XML I do not know of a way to do this, and we do not what to have to turn off buffer overflow signatures for the whole site. We only have one policy for the whole site and are unable to use the LTM side to split up the traffic to different policies. Thank you.

gsharri · Answer

You can create an XML content profile, disable the attack signature in it and then assign the profile to a URL in your security policy.&nbsp;
You didn't say what version you are running. Here is some info for version 12.0. The config is basically the same for other versions:&nbsp;
Fine-tuning Advanced XML Security Policy Settings&nbsp;

gerlan_32355 · Answer

Hi Scott,&nbsp;
I used this irule to unblock ASM for an URL:&nbsp;
when ASM_REQUEST_DONE {&nbsp;
if {[ASM::violation names] contains "ATTACK_TYPE_BUFFER_OVERFLOW" and (([string tolower [HTTP::uri]] contains "/yourURL"))}
{&nbsp;
ASM::unblock&nbsp;
log local0. "ASM unblocking [HTTP::uri]"
}&nbsp;
}&nbsp;
look this documentation:&nbsp;
ASM::unblock - https://devcentral.f5.com/wiki/irules.asm__unblock.ashx
ASM::violation - https://devcentral.f5.com/wiki/irules.asm__violation.ashx
ASM Violation names/tables - https://devcentral.f5.com/wiki/irules.asm__violation_data.ashx
ASM_REQUEST_DONE - https://devcentral.f5.com/wiki/iRules.ASM_REQUEST_DONE.ashx
HTTP::uri - https://devcentral.f5.com/wiki/iRules.HTTP__uri.ashx&nbsp;

Forum Discussion

Can I allow Buffer Overflow attack signatures in just an XML request?

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Distributed caching of authentication requests with NGINX Ingress Controller

IIS 6.0 WebDAV Buffer Overflow

Logging DNS Requests

Wildcard Parameter signature attack

Live Update- ASM attack signatures