danielpenna
May 10, 2016Cirrus
F5 ASM not trigger attack signature on Parameter
This is a bit of a head scratcher, having a discussion around a particular attack signature that uses the word "mount" in it. Its the usual type you get when your dealing with the "OS Execution" type signatures in that there is the following:
- "mount" execution attempt ( Signature ScopeParameter/Cookie, XML, JSON, GWT )
- "mount" execution attempt (Header)
- "mount" execution attempt (URI)
If the user passes "" then we trigger on the URI event.
But if he passes "" then it SHOULD trigger on the generic ( 1st in list signature ) "mount" signature.
Now I went and 100% confirmed that we do NOT have staging active on the parameters, nor due we have any URI specific settings that match this with signatures turned off. I am rather lost for an explanation on why this would be the case.