Forum Discussion

Phu's avatar
Phu
Icon for Nimbostratus rankNimbostratus
Nov 28, 2020
Solved

BigIP ASM can't block Command Execution Attack

My BigIP device is running on v16.0.1

I setup an ASM Policy and mapping many Attack Signature Sets included Command Execution.

I try to test with some of testcases. Such as:

  • https://mydomain.com/product?test= ls /var/log
  • https://mydomain.com/product?test= pwd
  • https://mydomain.com/product?test= tail /var/../../config.php

All of testcases are allowed access without blocking.

ASM Policy is blocking mode, All Attack Signature are Enforce (not stagging). I see just only Command Execution is not working, the other Signature Sets are running well.

 

  • Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

    https://mydomain.com/product?test=/bin/ls /var/log
    https://mydomain.com/product?test=/sbin/pwd
    https://mydomain.com/product?test=`tail /etc/passwd 

2 Replies

  • Those won't trigger the relevant signatures - you either need some sort of escape character (` ; etc) to break the string handling or use a full path (/bin/ls, /sbin/ls)

    https://mydomain.com/product?test=/bin/ls /var/log
    https://mydomain.com/product?test=/sbin/pwd
    https://mydomain.com/product?test=`tail /etc/passwd 

    • Phu's avatar
      Phu
      Icon for Nimbostratus rankNimbostratus

      You are right.

      Escape character ( ` ) make ASM recognize Command Execution Attack.

      Thanks so much.