F5 Distributed Cloud Security Details Changelog

f5_title

Attack Signatures Changelog

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

--
Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

--
Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.
Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

--
Affected Systems:
All systems that accept user input are potentially affected.

--
Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some applications send various script code to the web server as legitimate input.
Some free-text user input may match Cross Site Scripting signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

Cross-site scripting
http://en.wikipedia.org/wiki/Cross_site_scripting

--


.ShellExecute (Parameter)

.ShellExecute (Headers)

.ShellExecute (URI)

.SaveToFile (Parameter)

.SaveToFile (Headers)

.SaveToFile (URI)

button tag (Parameter)

Summary:

This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).



--

Impact:

Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.



--

Detailed Information:

SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement.

This event indicates that an attempt has been made by the client to inject SQL code into the application.



--

Affected Systems:

All systems with database connectivity are potentially affected.



--

Attack Scenarios:

An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.



--

Ease of Attack:

Vary from simple to medium.



--

False Positives:

Some applications send SQL statements to the web server as legitimate input.

Some free-text user input may match SQL-Injection signatures.



--

False Negatives:

None known.



--

Corrective Action:

Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.

Utilize "Positive Security Model" by accepting only known types of input in web application.



--





SQL-INJ print @@

Summary:
This event is generated when an attempt is made to code injection attack. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
 Vary from information gathering to web server compromise.

Detailed Information:
This event is generated when an attempt is made to code injection attack on a web server, by obfuscating the attack using various methods such as encodings, path manipulation, and others.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml



General Injection Attempt (CHR) (Parameter)

General Injection Attempt (CHR) (Header)

Summary:
This event is generated when an attempt is made to exploit an SQL-Injection vulnerability. This is a general attack detection signature (i.e. it is not specific to any database or web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
SQL-Injection occurs when a web application doesn't sanitize user-supplied input and places it directly into the SQL statement. This event indicates that an attempt has been made by the client to inject SQL code into the application.

Affected Systems:
All systems with database connectivity are potentially affected.

Attack Scenarios:
An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send SQL statements to the web server as legitimate input. Some free-text user input may match SQL-Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml



SQL-INJ CASE WHEN THEN '1' ELSE '0' (Parameter)

SQL-INJ CASE WHEN THEN '1' ELSE '0' (Header)

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

--
Impact:
Serious. Execution of arbitrary commands may be possible.

--
Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked.
This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

--
Affected Systems:
All systems.

--
Attack Scenarios:
An attacker can supply or invoke execution of OS commands via unsanitized input.

--
Ease of Attack:
Vary from simple to medium.

--
False Positives:
Some free-text user input may match Command Execution signatures.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
Utilize "Positive Security Model" by accepting only known types of input in web application.

--
Additional References:

OS Commanding
http://www.webappsec.org/projects/threat/classes/os_commanding.shtml

--


Unix/Linux "at" execution attempt (Parameter)

Summary:
This event is generated when an attempt is made to remotely execute an OS command. This is a general attack detection signature (i.e. it is not specific to any web application, but is dependent on the webserver Operating System).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
Web application could be tricked to execute operating system command if user supplied input isn't properly checked. This event indicates that an attempt has been made to inject an operating system command from a remote machine via unvalidated input of web application.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/os_commanding.shtml



Unix/Linux "tac" execution attempt (Parameter)

Summary:
This event is generated when an attempt is made to execute a Path Traversal attack. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This is a directory traversal attempt which canlead to information disclosure and possible exposure of sensitivesystem information.

Detailed Information:
Directory traversal attacks usually target web servers, web applications and ftp servers that do not correctly check the path to a file when requested bythe client. This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/path_traversal.shtml



Apache OFBiz Directory Traversal

Check Point Security Gateway Path Traversal

Summary:
This event is generated when an attempt is made to obtain sensitive information or a leakage has been detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. The information may be sensitive itself (e.g. credit card numbers) or  may aid the attacker to mount a more dangerous attack (e.g. user or system passwords).

Detailed Information:
Sensitive information may be present within HTML comments, error messages, source code, or simply left in files which are accessible by remote clients.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/information_leakage.shtml



XWiki Information Disclosure (4)

Summary:
This event is generated when an attempt is made to trigger denial of service.

Impact:
Serious

Detailed Information:
Denial of Service could be triggered by starving a system of critical resources, vulnerability exploit, or abuse of functionality which could result in consuming of all available resources to the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
https://www.owasp.org/index.php/Denial_of_Service



Jackson data-bind BigDecimal DoS (Parameter)

Jackson data-bind BigDecimal DoS (Header)

Summary:
This event is generated when an attempt is made to scan for vulnerabilities by security scanner. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
This event is generated when an attempt is made to scan a web server or an application running on a web server for a possible vulnerability.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Web_application_security_scanner



SQL-INJ UNIUNIONON SELESELECTCT (Parameter)

SQL-INJ UNIUNIONON SELESELECTCT (Header)

SQL-INJ UNIUNIONON SELESELECTCT (URI)

Summary:
This event is generated when an unclassified Application Attack is detected. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation may result in information disclosure or system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event is generated when an unclassified Application Attack is detected.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



SSRF attempt (127.0.0.1)

Summary:
This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Successful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.

Detailed Information:
This event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.

Affected Systems:
All systems that accept user input are potentially affected.

Attack Scenarios:
An attacker can supply a malicious link designed to steal information from a user clicking on that link.

Ease Of Attack:
Vary from simple to medium.

False Positives:
Some applications send various script code to the web server as legitimate input.Some free-text user input may match Cross Site Scripting signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://en.wikipedia.org/wiki/Cross_site_scripting
http://www.cgisecurity.com/articles/xss-faq.shtml



jQuery command $.globalEval (Parameter)

jQuery command $.globalEval (Header)

jQuery command $.globalEval (URI)

Array.from() (Parameter)

Array.from() (Header)

Array.from() (URI)

location.replace() (Parameter)

location.replace() (Header)

location.replace() (URI)

Vue.js XSS Prototype Pollution

SQL-INJ UPDATEXML (Parameter)

SQL-INJ UPDATEXML (Header)

SQL-INJ UPDATEXML (URI)

Summary:
This event is generated when an attempt is made to inject Server-side Include code. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Execution of arbitrary commands may be possible.

Detailed Information:
This event indicates that an attempt has been made to inject Server-side Include (SSI) code. SSI Injection allows to attacker to send server side code that could be executed locally by the web server.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/ssi_injection.shtml



Microsoft SharePoint bdcm Remote Code Execution (2)

Microsoft SharePoint bdcm Remote Code Execution (1)

XWiki Arbitrary Code Injection (3)

Summary:
This event is generated when an attempt is made to inject LDAP statements to the vulnerable web application. This is a general attack detection signature (i.e. it is not specific to any web application).

Impact:
Serious. Successful exploitation will result in information gathering and system integrity compromise. Possible modification of LDAP tree.

Detailed Information:
This event indicates that an attempt has been made to inject LDAP statement. If user supplied input is not correctly sanitized the attacker could change LDAP statement construction.

Affected Systems:
All systems with LDAP connectivity are potentially affected.

Attack Scenarios:
An attacker can inject LDAP queries to the backend LDAP server for an application if user input is not correctly sanitized or checked before passing that input to the LDAP server.

Ease Of Attack:
Simple to medium.

False Positives:
Some free-text user input may match LDAP Injection signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.



SecurEnvoy LDAP injection

Apache mod_rewrite Filename Confusion

Adobe ColdFusion Directory Traversal (2)

Adobe ColdFusion Directory Traversal

Spring Cloud Dataflow Arbitrary File Write

WordPress Prime Mover Data Exposure

WordPress Combo Blocks Authentication Bypass

Label Studio Information Disclosure

AnythingLLM Information Disclosure

GitLab Arbitrary File Read

Summary:
This event is generated when an attempt is made to access hidden web site content or functionality. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Information disclosure. This may aid the attacker to mount a more dangerous attack.

Detailed Information:
By making educated guesses, the attacker could discover hidden web site content and functionality, such as configuration, temporary, backup or sample files.This can lead to the disclosure of sensitive system information which maybe used by an attacker to further compromise the system.

Affected Systems:
All systems.

Attack Scenarios:
An attacker can search the web site for known sample files or files with .tmp, .bak and other extensions or attempt to access administrative pages or directories.

Ease Of Attack:
Simple.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Restrict access to sensitive files and nonpublic web server functionality. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/predictable_resource_location.shtml



DVDFab 12 PlayerFab Local File Inclusion

Python-Multipart ReDoS

Summary:
This event is generated when an attempt is made to bypass an Authentication or Authorization restrictions. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Authentication/Authorization Attacks occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate or authorize for that resource.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/insufficient_authentication.shtml
http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml



Adobe ColdFusion Authentication Bypass

RWS WorldServer Authentication Bypass (2)

RWS WorldServer Authentication Bypass (1)

Ivanti vADC Authentication Bypass

SolarWinds Web Help Desk Default Credentials (2)

Cisco Smart Licensing Utility Default Credentials

WordPress SmartSearchWP Unauthenticated Log Purge

Summary:
This event is generated when an attempt is made to abuse a web server functionality. This is a general detection signature (i.e. it is not specific to any web application).

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml



Apache Windows UNC-based SSRF

Request Smuggling Attempt (TE.0)

Summary:
This event is triggered when an attempt is made to exploit file include functionality in the application, leading to arbitrary code execution.

Impact:
Vary from information gathering to web server compromise.

Detailed Information:
When a user-input parameter is used to perform actions such as code include, an attacker may exploit this to include their own code into the application. The code file may be hosted on an attacker controlled server, and the application may retrieve it over the web before including it.

Affected Systems:
All systems.

Attack Scenarios:
There are many possible.

Ease Of Attack:
Simple to medium.

False Positives:
Some applications may accept valid input which matches these signatures.

False Negatives:
None known.

Corrective Action:
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Utilize "Positive Security Model" by accepting only known types of input in web application.

Additional References:
http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion

