And how BIG-IP ASM mitigates the vulnerabilities.
Vulnerability | BIG-IP ASM Controls | |
A1 | Injection Flaws | Attack signatures Meta character restrictions Parameter value length restrictions |
A2 | Broken Authentication and Session Management | Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection |
A3 | Sensitive Data Exposure | Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”) |
A4 | XML External Entities (XXE) | Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection) |
A5 | Broken Access Control | File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”) |
A6 | Security Misconfiguration | Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement |
A7 | Cross-site Scripting (XSS) | Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) |
A8 | Insecure Deserialization | Attack Signatures (“Server Side Code Injection”) |
A9 | Using components with known vulnerabilities | Attack Signatures DAST integration |
A10 | Insufficient Logging and Monitoring | Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation |
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
200018018 External entity injection attempt
200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
