Phu
Nov 28, 2020Nimbostratus
Solved
BigIP ASM can't block Command Execution Attack
My BigIP device is running on v16.0.1
I setup an ASM Policy and mapping many Attack Signature Sets included Command Execution.
I try to test with some of testcases. Such as:
- https://mydomain.com/product?test= ls /var/log
- https://mydomain.com/product?test= pwd
- https://mydomain.com/product?test= tail /var/../../config.php
All of testcases are allowed access without blocking.
ASM Policy is blocking mode, All Attack Signature are Enforce (not stagging). I see just only Command Execution is not working, the other Signature Sets are running well.
Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)
https://mydomain.com/product?test=/bin/ls /var/log https://mydomain.com/product?test=/sbin/pwd https://mydomain.com/product?test=`tail /etc/passwd