Difference between revisions of "WAF 390700"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with ''''Rule ID''' 390700 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Evasion Attack: Attempted multipart/form-data bypass '''D…')
 
m
 
(One intermediate revision by one user not shown)
Line 9: Line 9:
 
'''Alert Message'''   
 
'''Alert Message'''   
  
Atomicorp.com WAF Rules: Evasion Attack: Attempted multipart/form-data bypass
+
Atomicorp.com WAF Rules: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass
  
 
'''Description'''   
 
'''Description'''   
  
 
This rule can be triggered if an attacker attempts to bypass the WAF's multipart assembler.  There are several known attack methods that attempt to bypass WAFs by using this method.  
 
This rule can be triggered if an attacker attempts to bypass the WAF's multipart assembler.  There are several known attack methods that attempt to bypass WAFs by using this method.  
 +
 +
Additionally, if any of the following characters are used in a filename this rule will be triggered:
 +
 +
";=
 +
 +
These characters are not supported in the filename and are reserved characters.
  
 
'''False Positives'''
 
'''False Positives'''

Latest revision as of 20:42, 18 December 2013

Rule ID

390700

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass

Description

This rule can be triggered if an attacker attempts to bypass the WAF's multipart assembler. There are several known attack methods that attempt to bypass WAFs by using this method.

Additionally, if any of the following characters are used in a filename this rule will be triggered:

";=

These characters are not supported in the filename and are reserved characters.

False Positives

False Positives are rare with this rule. We do not recommend you disable this unless you want to ignore any evasion based on the multipart parser in the WAF. Currently there are no known vulnerabilities in the 2.5.12 version of the WAF (ASL versions 2.2.7 and up are not vulnerable). Therefore, if you know that your client sends an invalid multipart message when uploading a file, you are running the latest version of ASL and you do not care about detecting and blocking evasion based attacks disable this rule. We do not recommend you disable this rule, rather we recommend fixing the application to ensure that it does not accept broken multipart messages.

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Tuning Recommendations

If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools