And how BIG-IP ASM mitigates the vulnerabilities.
| Vulnerability | BIG-IP ASM Controls | |
| A1 | Injection Flaws | Attack signatures Meta character restrictions Parameter value length restrictions |
| A2 | Broken Authentication and Session Management | Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection |
| A3 | Sensitive Data Exposure | Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”) |
| A4 | XML External Entities (XXE) | Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection) |
| A5 | Broken Access Control | File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”) |
| A6 | Security Misconfiguration | Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement |
| A7 | Cross-site Scripting (XSS) | Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) |
| A8 | Insecure Deserialization | Attack Signatures (“Server Side Code Injection”) |
| A9 | Using components with known vulnerabilities | Attack Signatures DAST integration |
| A10 | Insufficient Logging and Monitoring | Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation |
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
-
200018018 External entity injection attempt
-
200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
本文转自 Bruce_F5 51CTO博客,原文链接:http://blog.51cto.com/zenfei/2050010
扫一扫
2229
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
