F5 BIGIP - (OLD!) Persistent XSS in ASM Module Dec 02 2014 08:34PM
jplopezy gmail com


The f5 is a "load balancer" which has several modules, one of them called ASM works as a WAF (firewall application). The asm allow create security policy
to protect a web site for example.

For it have some methods

Create a policy automatically (recommended) <- BAD IDEA
Create a policy manually or use templates (advanced)
Create a policy for XML and web services manually
Create a policy using third party vulnerability assessment tool output

The problems is when create a policy automatically :

Select Create a policy automatically if you want the Application Security Manager to build a security policy automatically.
This option is good for production traffic or for a QA environment. The policy building process can take a few days, depending on the number of requests sent and the size of the website.

When you select this option, any user that join in to the site ( user or web security scanner) send request true and fakes and the app start to learn all uri,parameter,value ( true or false)

For this reason is that happend the problem, the app start learning all request that the users or web scanner send in the case of web scanner some times this software send trash like invalid parameter or attacks

The asm module learn this data and the problems happends!.


The bug is in the file pl_tree.php, and send this request to a site that have a "policiy automatically" /<img src="test" onclick="alert('XSS')">, when you send this request (in some cases) go to
Allowed URL Properties ( some cases go to disable if the stating time is disabled, in automatic is default 7 days)

So, if the admin of this policy go to Security ?? Application Security : Security Policies : Active Policies and open the policy and click on Tree View, the xss run, in this case this payload need click but there are others vectors.

Check image : http://postimg.org/image/7f8i3m139/

all end in a persistent/store xss that allow steal cookies or others vectors like get info.


Is important a hotfix, but for prevent this type of attack not use policy automatically.


Version :


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus