F5 Distributed Cloud Security Details Changelog

f5_title

Signatures Changelog

Summary:
This event is generated when an attempt is made to access hidden web site content or functionality. This is a general detection signature (i.e. it is not specific to any web application).

--
Impact:
Information disclosure. This may aid the attacker to mount a more dangerous attack.

--
Detailed Information:
By making educated guesses, the attacker could discover hidden web site content and functionality, such as configuration, temporary, backup or sample files.
This can lead to the disclosure of sensitive system information which may
be used by an attacker to further compromise the system.

--
Affected Systems:
All systems.

--
Attack Scenarios:
An attacker can search the web site for known sample files or files with .tmp, .bak and other extensions or attempt to access administrative pages or directories.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Restrict access to sensitive files and nonpublic web server functionality.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

Predictable Resource Location
http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml

--


Unix hidden file access (URI)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

--
Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

--
Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

--
Affected Systems:
All systems that accept user input are potentially affected.

--
Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-site scripting
http://en.wikipedia.org/wiki/Cross_site_scripting

--


.location (Headers)

.location (Parameter)

.location (URI)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-site scripting
http://en.wikipedia.org/wiki/Cross_site_scripting



window.document (Parameter)

window.document (Header)

window.document (URI)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.cgisecurity.com/xss-faq.html



document[] (Header)

document[] (Parameter)

document[] (URI)

window[] (Header)

window[] (Parameter)

window[] (URI)

Summary:

This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).



--

Impact:

Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.



--

Detailed Information:

SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement.

This event indicates that an attempt has been made by the client to inject SQL code into the application.



--

Affected Systems:

All systems with database connectivity are potentially affected.



--

Attack Scenarios:

An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.



--

Ease of Attack:

Vary from simple to medium.



--

False Positives:

Some applications send SQL statements to the web server as legitimate input.

Some free-text user input may match SQL-Injection signatures.



--

False Negatives:

None known.



--

Corrective Action:

Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.

Utilize "Positive Security Model" by accepting only known types of input in web application.



--





SQL-INJ expressions like ' + ' (Parameter)

SQL-INJ expressions like ' || ' (Parameter)

SQL-INJ expressions like ' || ' (URI)

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked. This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

Affected Systems:
Apache Struts and application Servers which base on Java programming language.

Attack Scenarios:
An attacker can supply or invoke execution of OS commands via unsanitized input.

Ease Of Attack:
Medium to hard.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
https://www.owasp.org/index.php/Command_Injection



FreeMarker Template Injection template.utility (Parameter)

FreeMarker Template Injection template.utility (Header)

FreeMarker Template Injection template.utility (URI)

Summary:
This event is generated when an attempt is made to inject LDAP statements to the vulnerable web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Successful exploitation will result in information gathering and system integrity compromise. Possible modification of LDAP tree.

Detailed Information:
This event indicates that an attempt has been made to inject LDAP statement. If user supplied input is not correctly sanitized the attacker could change LDAP statement construction.

Affected Systems:
All systems with LDAP connectivity are potentially affected.

Attack Scenarios:
An attacker can inject LDAP queries to the backend LDAP server for an application if user input is not correctly sanitized or checked before passing that input to the LDAP server.

Ease Of Attack:
Simple to medium.

False Positives:
Some free-text user input may match LDAP Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



Generic LDAP injection attempt (1)

Generic LDAP injection attempt (2)

Summary:
This event is generated when an attempt is made to execute a Path Traversal attack. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This is a directory traversal attempt which canlead to information disclosure and possible exposure of sensitivesystem information.

Detailed Information:
Directory traversal attacks usually target web servers, web applications and ftp servers that do not correctly check the path to a file when requested bythe client. This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/path_traversal.shtml



Directory Traversal attempt "../" (URI) (%%32%65%%32%65)

"/Program Files/" access (URI)

Summary:
This event is generated when an attempt is made to access hidden web site content or functionality. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This may aid the attacker to mount a more dangerous attack.

Detailed Information:
By making educated guesses, the attacker could discover hidden web site content and functionality, such as configuration, temporary, backup or sample files.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
An attacker can search the web site for known sample files or files with .tmp, .bak and other extensions or attempt to access administrative pages or directories.

Ease Of Attack:
Simple.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Restrict access to sensitive files and nonpublic web server functionality. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml



"/etc/*" access

Summary:
This event is generated when an unclassified Application Attack is detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation may result in information disclosure or system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event is generated when an unclassified Application Attack is detected.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



localhost IPv6 URL found - http://::1/ (Parameter)

localhost IPv6 URL found - http://::1/ (Header)

XML External Entity (XXE) injection attempt (Parameter)

Summary:
An XML External Entity attack is a type of attack against an application that parses XML input.)

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Affected Systems:
All systems

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
None known.

False Negatives:
None known.

Corrective Action:
Disable XXE functionality in your XML parsers

Additional References:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing



XML External Entity (XXE) injection attempt

External entity DOCTYPE injection attempt (Parameter)

External entity DOCTYPE injection attempt

SSRF attempt (Localhost) (Host Header)

SSRF attempt (Google Metadata Server) (Parameter)

SSRF attempt (Google Metadata Server) (Host Header)

SSRF attempt (Packetcloud Metadata Server) (Host Header)

SSRF attempt (Google Metadata Server) (URI)

SSRF attempt (AWS Metadata Server Hostname) (Host header)

SSRF attempt (AWS, Azure, GCE, Digital Ocean Metadata Server IPv6 format ) (Host header)

SSRF attempt (Oracle Metadata Server IPv6 format) (Host header)

SSRF attempt (Alibaba Metadata Server IPv6 format) (Host header)

SSRF attempt (localhost)

SSRF attempt (127.0.0.1)

localhost IPv6 URL evasion - [::01]/ (Parameter)

localhost IPv6 URL evasion - [::01]/ (Header)

External entity DOCTYPE injection attempt (PUBLIC) (Parameter)

External entity DOCTYPE injection attempt (PUBLIC)

Summary:
This event is generated when an attempt is made to send crafted requests from the back-end server of a web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Affected Systems:
All systems.

Attack Scenarios:
An attacker can bypass security measures by using the back-end server to reach internal corporate servers, and send authenticated requests on behalf of the server.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
https://www.owasp.org/index.php/Server_Side_Request_Forgery



SSRF attempt (AWS Metadata Server) - Dot-less decimal representation (Host header)

SSRF attempt (AWS Metadata Server) - Dot-less decimal with overflow representation (Host header)

SSRF attempt (AWS Metadata Server) - Dotted decimal with overflow representation (Host header)

SSRF attempt (AWS Metadata Server) - Dotted octal representation (Host header)

SSRF attempt (AWS Metadata Server) - Dotted octal with padding representation (Host header)

SSRF attempt (AWS Metadata Server) - Dotted hexadecimal representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dot-less decimal representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dot-less decimal with overflow representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dotted decimal with overflow representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dotted octal representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dotted octal with padding representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dot-less hexadecimal representation (Host header)

SSRF attempt (Oracle Metadata Server) - Dotted hexadecimal representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dot-less decimal representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dot-less decimal with overflow representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dotted decimal with overflow representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dotted octal representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dotted octal with padding representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dot-less hexadecimal representation (Host header)

SSRF attempt (Alibaba Metadata Server) - Dotted hexadecimal representation (Host header)

SSRF attempt (127.0.0.1) - Dot-less decimal representation (Host header)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Cross_site_scripting
http://www.cgisecurity.com/articles/xss-faq.shtml



new Image().src (Parameter)

new Image().src (Header)

new Image().src (URI)

top[]() (Parameter)

top[]() (Header)

top[]() (URI)

new Function() (Parameter)

new Function() (Header)

new Function() (URI)

alert() (3) (Parameter)

alert() (3) (Header)

alert() (3) (URI)

self[] (Parameter)

self[] (Header)

self[] (URI)

globalThis[] (Parameter)

globalThis[] (Header)

globalThis[] (URI)

frames[] (Parameter)

frames[] (Header)

frames[] (URI)

this[] (Parameter)

this[] (Header)

this[] (URI)

parent[] (Parameter)

parent[] (Header)

parent[] (URI)

Summary:
This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement. This event indicates that an attempt has been made by the client to inject SQL code into the application.

Affected Systems:
All systems with database connectivity are potentially affected.

Attack Scenarios:
An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send SQL statements to the web server as legitimate input. Some free-text user input may match SQL-Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml



SolarWinds Web Help Desk Default Credentials

Summary:
This event is generated when an attempt is made to inject Server-side Include code. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
This event indicates that an attempt has been made to inject Server-side Include (SSI) code. SSI Injection allows to attacker to send server side code that could be executed locally by the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml

