And how BIG-IP ASM mitigates the vulnerabilities.
|
Vulnerability |
BIG-IP ASM Controls |
|
|
A1 |
Injection Flaws |
Attack signatures Meta character restrictions Parameter value length restrictions |
|
A2 |
Broken Authentication and Session Management |
Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection |
|
A3 |
Sensitive Data Exposure |
Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”) |
|
A4 |
XML External Entities (XXE) |
Attack signatures (“Other Application Attacks” – XXE) XML content profile (Disallow DTD) (Subset of API protection) |
|
A5 |
Broken Access Control |
File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”) |
|
A6 |
Security Misconfiguration |
Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement |
|
A7 |
Cross-site Scripting (XSS) |
Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) |
|
A8 |
Insecure Deserialization |
Attack Signatures (“Server Side Code Injection”) |
|
A9 |
Using components with known vulnerabilities |
Attack Signatures DAST integration |
|
A10 |
Insufficient Logging and Monitoring |
Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation |
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
-
200018018 External entity injection attempt
-
200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
