Forum Discussion

Lyonsy_271608's avatar
Lyonsy_271608
Icon for Altocumulus rankAltocumulus
Nov 23, 2016

WAF Blocking templates on upload

Hi Guys

 

Have an issue with templates (html and css) being uploaded to a certain url detects them and blocks as Cross Site Scripting (XSS), Detection Evasion, Other Application Attacks, SQL-Injection

 

is there anyway to allow them through to the specific area they will only ever come via 1 url

 

thanks in anvance

 

  • when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/*****" } { ASM::disable } }

     

  • If this comes from a trusted developer IP the easiest way would probably be whitelisting him: Security ›› Application Security : IP Addresses : IP Address Exceptions ›› New IP Address Exception...

     

    IP Address Exception Properties IP Addressdeveloper_source_ip Netmask255.255.255.255 Policy Builder trusted IP Disabled Ignore in Anomaly Detection Enabled Ignore in Learning Suggestions Enabled Never block this IP Address Enabled Never log traffic from this IP Address Enabled

     

  • it comes from a specific URL to upload the template so guessing i give it the static ip of that url it should work?

     

    thanks

     

  • depending on the attack signature type you might be able to disable it on a parameter.

     

    if you can't you need to do something with different ASM policies. you can't disable based on URI for attack signatures easily shamefully.

     

  • managed to do this via an irule

     

    when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/*****" } { ASM::disable } }

     

  • when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/*****" } { ASM::disable } }

     

  • ah still version 10? or older version 11? have a look at upgrading.

     

    do understand this disables all ASM protection, so not just a few signatures disabled but everything.

     

    it might be better to change ASM policy based on URI, that way you keep some protection at least.