Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
May 10, 2016

F5 ASM not trigger attack signature on Parameter

This is a bit of a head scratcher, having a discussion around a particular attack signature that uses the word "mount" in it. Its the usual type you get when your dealing with the "OS Execution" type signatures in that there is the following:

 

  • "mount" execution attempt ( Signature ScopeParameter/Cookie, XML, JSON, GWT )
  • "mount" execution attempt (Header)
  • "mount" execution attempt (URI)

If the user passes "" then we trigger on the URI event.

 

But if he passes "" then it SHOULD trigger on the generic ( 1st in list signature ) "mount" signature.

 

Now I went and 100% confirmed that we do NOT have staging active on the parameters, nor due we have any URI specific settings that match this with signatures turned off. I am rather lost for an explanation on why this would be the case.

 

ASM Advanced WAF
security

1 Reply

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 10, 2016

    Possibly your request does not match the particular attack detection signature since 'rui' string is directly appended to 'mount%20d'? Depending on signature update revision, it may or may not be seen as arbitrary code execution attempt. Give another try with the same request, but without 'rui' appendix.

     

    In any case, you're looking at a possible HTTP Query parameter violation. If a blocking occurs due to request where the violation is in HTTP Query, it can only match the 3rd scenario (mount execution attempt URI). In the scope of Attack Detection Signatures, any HTTP Query parameters are not handled as parameters. (For a parameter to be considered a parameter, it must be inside request payload, not in header)

     

    Requests for your testing

     

    Test cases for 1st scenario (Parameter/Cookie, XML, JSON, GWT)
 In POST parameter
curl 'https://x.x.x' --data 'postParameter=mount%20d'
 In JSON data
curl 'https://x.x.x' -H 'Content-Type: application/json' -X POST -d '{"jsonData":"mount%20d"}

Test case for 2nd scenario (HTTP Header)
curl 'https://x.x.x' -H 'httpHeader=mount%20d'

Test cases for 3rd scenario (HTTP URI)

 In HTTP path
curl 'https://x.x.x/mount%20d/'
 In HTTP query
curl 'https://x.x.x/?queryParameter=mount%20d'

    Hope it will get you closer

     

    Regards,