Forum Discussion

nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Sep 13, 2010

test block script

Hi all,

 

 

We used to have a test block script which we could enter into a field on our corporate website and trigger a block response. This was a quick way of testing ASM was working. This script isn't working now. In the ASM logs it's now classed as a legal request.

 

 

Can anyone share a test block script I can use to test ASM is blocking correctly?

 

 

Thanks in advance,

 

N

 

APM
app sec
security

4 Replies

Sort By
  • Tom_Spector_50's avatar
    Tom_Spector_50
    Historic F5 Account
    Sep 21, 2010
    Finding payload that triggers a block on your ASM is dependent on your configuration - for example if you are blocking on illegal file types, and do not have a wildcard file type - sending a request to a non defined file type would trigger a block.

     

     

    Thanks,

     

     

    Tom.
  • zeropixel_23561's avatar
    zeropixel_23561
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2016
    Hi Nathan, did you create scripts for testing different ASM policies? I just created some scripts to test the ASM policies (For example, XSS) to see if ASM can block the request, but I am not sure how the blocking response works? It will be great if you can share your experiences and I really appreciate it. Thanks!!
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jan 12, 2016
    I just did similar to you really, I crafted my own (very simple) XSS attacks. As Tom mentioned below, it's very much determined by the configuration. We blocked certain meta-characters so simply using these in a input field caused a block.
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 12, 2016

    Hi Nathan,

    I do usally test my ASM functionality with the "Nimda Worm" signature (aka. a IIS specific Escaped Character Decoding Command Execution Vulnerability).

    the Test-URI is rather handy and simple: 

    http://www.example.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir

    Note: The string "/..%255c../" is the actual attack signature and would double decode on the serverside to "%5c" in the first round (security validated by IIS) and on the second round to "\" (not security validated by IIS).

    And the ASM response blocking functionality can be testet with an Error Page sending an unknown [HTTP::status] of lets say 666.

    Cheers, Kai