Bug ID 481530: Signature reporting details for sensitive data violation

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8

Fixed In:
12.0.0, 11.6.1

Opened: Sep 29, 2014
Severity: 3-Major
Related AskF5 Article:
K86019555

Symptoms

ASM blocks some requests that match signatures of the 'XPath Injection' attack type, but specific details regarding the violations are not visible for the affected requests as the signatures match sensitive parameters.

Impact

You cannot view or learn about violations in the GUI for signatures that match on sensitive parameters.

Conditions

Request with sensitive data, a signature match inside the sensitive data.

Workaround

Suggestions of how to acquire the sig id: 1. Attach a custom remote logger that includes the violation details field and the support id. Note: You can configure only these two. 2. Turn on the ATTACK_SIG logger module for the bd.log and grep for 'Matched SIGID:' messages. 3. Remove the sensitive configuration. Note: This might not work for your environment.

Fix Information

Signature names that are matched inside sensitive data are now shown in the violation details in the Configuration utility.

Behavior Change