Shulou(Shulou.com)06/01 Report--

And how BIG-IP ASM mitigates the vulnerabilities.

Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection

A3

Sensitive Data Exposure

Data Guard

Attack signatures ("Predictable Resource Location" and "Information Leakage")

A4

XML External Entities (XXE)

Attack signatures ("Other Application Attacks"-XXE)

XML content profile (Disallow DTD)

(Subset of API protection)

A5

Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures ("Directory traversal")

A6

Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement

A7

Cross-site Scripting (XSS)

Attack signatures ("Cross Site Scripting (XSS)")

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures ("Server Side Code Injection")

A9

Using components with known vulnerabilities

Attack Signatures

DAST integration

A10

Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation

Specifically, we have attack signatures for "A4:2017-XML External Entities (XXE)":

200018018 External entity injection attempt

200018030 XML External Entity XXE injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the "Malformed XML data" violation):

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.