First, here's how the 2013 edition compares to 2017.
And how BIG-IP ASM mitigates the vulnerabilities.
Vulnerability
|
BIG-IP ASM Controls
| |
A1
|
Injection Flaws
|
Attack signatures
Meta character restrictions
Parameter value length restrictions
|
A2
|
Broken Authentication and Session Management
|
Brute Force protection
Session tracking
HTTP cookie protection
|
A3
|
Sensitive Data Exposure
|
Data Guard
|
A4
|
XML External Entities (XXE)
|
Attack signatures (see below)
|
A5
|
Broken Access Control
|
File types
URL
URL flows
Session tracking
URL flows
Attack signatures (Directory traversal)
|
A6
|
Security Misconfiguration
|
Attack Signatures
|
A7
|
Cross-site Scripting (XSS)
|
Attack signatures
Parameter meta characters
Parameter value length restrictions
Parameter type definitions (such as integer)
|
A8
|
Insecure Deserialization
|
Attack Signatures (see below)
|
A9
|
Using components with known vulnerabilities
|
Attack Signatures integration
|
A10
|
Insufficient Logging and Monitoring
|
BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks
|
Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:
- 200018018 External entity injection attempt
- 200018030 XML External Entity (XXE) injection attempt (Content)
Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):
For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:
- 200004188 PHP object serialization injection attempt (Parameter)
- 200003425 Java Base64 serialized object - java/lang/Runtime (Parameter)
- 200004282 Node.js Serialized Object Remote Code Execution (Parameter)
ps
Related: