F5 Distributed Cloud Security Details Changelog

f5_title

Attack Signatures Changelog

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Sanitize all user-input on your application.

Additional References:
http://www.cgisecurity.com/xss-faq.html



toString (Parameter)

toString (Header)

toString (URI)

valueOf (Parameter)

valueOf (Header)

valueOf (URI)

Summary:

This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).



--

Impact:

Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.



--

Detailed Information:

SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement.

This event indicates that an attempt has been made by the client to inject SQL code into the application.



--

Affected Systems:

All systems with database connectivity are potentially affected.



--

Attack Scenarios:

An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.



--

Ease of Attack:

Vary from simple to medium.



--

False Positives:

Some applications send SQL statements to the web server as legitimate input.

Some free-text user input may match SQL-Injection signatures.



--

False Negatives:

None known.



--

Corrective Action:

Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.

Utilize "Positive Security Model" by accepting only known types of input in web application.



--





SQL-INJ expressions like "OR 1=1" (3) (Parameter)

SQL-INJ expressions like "OR 1=1" (3) (Header)

Summary:
This event is generated when an attempt is made to abuse a web server functionality. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml



Unix "cmd" parameter execution attempt

Summary:
This event is generated when an attempt is made to send crafted requests from the back-end server of a web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Affected Systems:
All systems.

Attack Scenarios:
An attacker can bypass security measures by using the back-end server to reach internal corporate servers, and send authenticated requests on behalf of the server.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
https://www.owasp.org/index.php/Server_Side_Request_Forgery



SSRF attempt (127.x.x.x) - Dot-less decimal representation (Host header)

SSRF attempt (127.x.x.x) - Dot-less decimal representation (URI)

SSRF attempt (127.x.x.x) - Dot-less decimal representation (Parameter)

Summary:
This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement. This event indicates that an attempt has been made by the client to inject SQL code into the application.

Affected Systems:
All systems with database connectivity are potentially affected.

Attack Scenarios:
An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send SQL statements to the web server as legitimate input. Some free-text user input may match SQL-Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml



SQL-INJ expressions like "OR 1=1" (3) (URI)

Summary:
This event is generated when an attempt is made to obtain sensitive information or a leakage has been detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. The information may be sensitive itself (e.g. credit card numbers) or  may aid the attacker to mount a more dangerous attack (e.g. user or system passwords).

Detailed Information:
Sensitive information may be present within HTML comments, error messages, source code, or simply left in files which are accessible by remote clients.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/information_leakage.shtml



TVT DVR Information Disclosure

Harman Media Suite Local File Disclosure

WordPress LiteSpeed Cache Plugin Sensitive Information Exposure

WordPress SmartSearchWP OpenAI Key Disclosure

Vite Framework Arbitrary File Read

Summary:
This event is generated when an attempt is made to trigger denial of service.

Impact:
Serious

Detailed Information:
Denial of Service could be triggered by starving a system of critical resources, vulnerability exploit, or abuse of functionality which could result in consuming of all available resources to the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
https://www.owasp.org/index.php/Denial_of_Service



Micromatch ReDoS

Summary:
This event is generated when an attempt is made to bypass an Authentication or Authorization restrictions. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Authentication/Authorization Attacks occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate or authorize for that resource.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/insufficient_authentication.shtml
http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml



Control iD iDSecure Authentication Bypass

Strapi Authentication Bypass

Adobe Experience Manager Unauthorized Access

Apache Solr Authentication Bypass

Gitlab SAML Authentication Bypass

Microsoft Open Management Infrastructure RCE

Fanwei OA8 Front-End SQL Injection

Summary:
This event is generated when an unclassified Application Attack is detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation may result in information disclosure or system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event is generated when an unclassified Application Attack is detected.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



Apache OFBiz SSRF (2)

SSRF attempt (127.0.0.1) - Hexadecimal representation (URI)

SSRF attempt (127.0.0.1) - Hexadecimal representation (Parameter)

SSRF attempt (127.0.0.1) - Hexadecimal representation (Host header)

SSRF Attempt - Double Slash

Summary:
This event is triggered when an attempt is made to upload a malicious file.

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
This event is triggered when an attempt is made to upload a malicious file.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



BerqWP Arbitrary File Upload

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Cross_site_scripting
http://www.cgisecurity.com/articles/xss-faq.shtml



DOM Clobber Malformed CurrentScript in Vite and Webpack

oncontentvisibilityautostatechange (Parameter)

oncontentvisibilityautostatechange (Header)

oncontentvisibilityautostatechange (URI)

Hertzbeat Authenticated SQL Injection

SQL-INJ expressions like "AND 1=1" (3) (Parameter)

SQL-INJ expressions like "AND 1=1" (3) (Header)

SQL-INJ expressions like "AND 1=1" (3) (URI)

JeecgBoot SQL Injection

WordPress WP Fastest Cache SQL Injection

osTicket SQL Injection

Hongjing HCM SQL Injection

SQL-INJ expressions like "|| TRUE"

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked. This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/os_commanding.shtml



Ivanti Cloud Service Appliance Command Execution

ManageEngine ADManager Plus Command Injection

Apache Tomcat CGIServlet - Remote Code Execution

Summary:
This event is generated when an attempt is made to inject Server-side Include code. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
This event indicates that an attempt has been made to inject Server-side Include (SSI) code. SSI Injection allows to attacker to send server side code that could be executed locally by the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml



Sitecore Remote Code Execution

Apache OFBiz Pre-Auth Information Leak

WordPress Backup Migration RCE

Comodo UTM Remote Code Execution

playSMS Remote Code Execution

Ivanti Connect/Policy Secure Authenticated RCE

CyberPanel Pre-Auth RCE

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

--
Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

--
Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

--
Affected Systems:
All systems that accept user input are potentially affected.

--
Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-site scripting
http://en.wikipedia.org/wiki/Cross_site_scripting

--


.ShellExecute (Parameter)

.ShellExecute (Headers)

.ShellExecute (URI)

.SaveToFile (Parameter)

.SaveToFile (Headers)

.SaveToFile (URI)

button tag (Parameter)

SQL-INJ print @@

Summary:
This event is generated when an attempt is made to code injection attack. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
 Vary from information gathering to web server compromise.

Detailed Information:
This event is generated when an attempt is made to code injection attack on a web server, by obfuscating the attack using various methods such as encodings, path manipulation, and others.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml



General Injection Attempt (CHR) (Parameter)

General Injection Attempt (CHR) (Header)

SQL-INJ CASE WHEN THEN '1' ELSE '0' (Parameter)

SQL-INJ CASE WHEN THEN '1' ELSE '0' (Header)

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

--
Impact:
Serious. Execution of arbitrary commands may be possible.

--
Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked.
This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

--
Affected Systems:
All systems.

--
Attack Scenarios:
An attacker can supply or invoke execution of OS commands via unsanitized input.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some free-text user input may match Command Execution signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

OS Commanding
http://www.webappsec.org/projects/threat/classes/os_commanding.shtml

--


Unix/Linux "at" execution attempt (Parameter)

Unix/Linux "tac" execution attempt (Parameter)

Summary:
This event is generated when an attempt is made to execute a Path Traversal attack. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This is a directory traversal attempt which canlead to information disclosure and possible exposure of sensitivesystem information.

Detailed Information:
Directory traversal attacks usually target web servers, web applications and ftp servers that do not correctly check the path to a file when requested bythe client. This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/path_traversal.shtml



Apache OFBiz Directory Traversal

Check Point Security Gateway Path Traversal

XWiki Information Disclosure (4)

Jackson data-bind BigDecimal DoS (Parameter)

Jackson data-bind BigDecimal DoS (Header)

Summary:
This event is generated when an attempt is made to scan for vulnerabilities by security scanner. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
This event is generated when an attempt is made to scan a web server or an application running on a web server for a possible vulnerability.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Web_application_security_scanner



SQL-INJ UNIUNIONON SELESELECTCT (Parameter)

SQL-INJ UNIUNIONON SELESELECTCT (Header)

SQL-INJ UNIUNIONON SELESELECTCT (URI)

SSRF attempt (127.0.0.1)

jQuery command $.globalEval (Parameter)

jQuery command $.globalEval (Header)

jQuery command $.globalEval (URI)

Array.from() (Parameter)

Array.from() (Header)

Array.from() (URI)

location.replace() (Parameter)

location.replace() (Header)

location.replace() (URI)

Vue.js XSS Prototype Pollution

SQL-INJ UPDATEXML (Parameter)

SQL-INJ UPDATEXML (Header)

SQL-INJ UPDATEXML (URI)

Microsoft SharePoint bdcm Remote Code Execution (2)

Microsoft SharePoint bdcm Remote Code Execution (1)

XWiki Arbitrary Code Injection (3)

Summary:
This event is generated when an attempt is made to inject LDAP statements to the vulnerable web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Successful exploitation will result in information gathering and system integrity compromise. Possible modification of LDAP tree.

Detailed Information:
This event indicates that an attempt has been made to inject LDAP statement. If user supplied input is not correctly sanitized the attacker could change LDAP statement construction.

Affected Systems:
All systems with LDAP connectivity are potentially affected.

Attack Scenarios:
An attacker can inject LDAP queries to the backend LDAP server for an application if user input is not correctly sanitized or checked before passing that input to the LDAP server.

Ease Of Attack:
Simple to medium.

False Positives:
Some free-text user input may match LDAP Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

