And how BIG-IP ASM mitigates the vulnerabilities.
Vulnerability | BIG-IP ASM Controls | |
A1 | Injection Flaws | Attack signatures Meta character restrictions Parameter value length restrictions |
A2 | Broken Authentication and Session Management | Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection |
A3 | Sensitive Data Exposure | Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”) |
A4 | XML External Entities (XXE) | Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection) |
A5 | Broken Access Control | File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”) |
A6 | Security Misconfiguration | Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement |
A7 | Cross-site Scripting (XSS) | Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) |
A8 | Insecure Deserialization | Attack Signatures (“Server Side Code Injection”) |
A9 | Using components with known vulnerabilities | Attack Signatures DAST integration |
A10 | Insufficient Logging and Monitoring | Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation |
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
200018018 External entity injection attempt
200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
