Forum Discussion

AlsDevC's avatar
AlsDevC
Icon for Altocumulus rankAltocumulus
May 03, 2023

Handle False Positive for files upload

Hi folks, 

I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload.

The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature:

Signature ID 200104770
name: JSP Expression Language Expression Injection (3) (Parameter)
attack_type: ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION
matching_info: Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'."

The habit I had on ASM was to disable problematic signatures on this type of URL.

Is there a more relevant way to handle these cases on XC?

Many thanks.

  • Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

    Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

  • Hi AlsDevC.

    If you look at the Security Events in the Security Dashboard and find the event that you believe to be false-positive, then click the `...` in the `Actions` column:

    You have the option to `Create WAF Exclusion rule`.  This will take you to the 'WAF Exclusion Rules` section of the Load-Balancer configuration, and pre-populate the configuration for you, to disable the signature on the specific URL.  

    Hope that helps. 

     

  • Stephen,

    Thanks for your quick feedback. Maybe I'm expressing myself badly. I know how to put an exception but I was hoping for another method than putting an exception for each matched signature.

    BR.

     

     

    • Can you share the "state" of those signatures , for that security event? You should find that in the information section. Ideally, these signatures should be "autosuppressed" by the "automatic attack signatures tuning" capability

  • I disabled "automatic attack signatures tuning" because we noticed that it lowered the level of protection against SQL Injection type attacks.
    Am I to understand that this is not a good practice and that it is advisable to leave it enabled to limit the number of false positives?

    • Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

      Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

  • Hi Sudhir, I re-enable the option and my file ipload works correctly, i see the request is triggered by WAF but signatures are in Autosuppressed state. It answer my initial question, thanks. 
    I'll open a case for SQL Injection are passing when I activate the feature. 

    Thanks all.