Vigil@nce - BIG-IP ASM: Cross Site Scripting via Web Scraping
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the anti Web Scraping feature is enabled in BIG-IP
Application Security Manager, an attacker can generate a Cross
Site Scripting.
Severity: 2/4
Creation date: 30/06/2011
IMPACTED PRODUCTS
– F5 BIG-IP Switch
DESCRIPTION OF THE VULNERABILITY
The Web Scraping feature of BIG-IP ASM (Application Security
Manager) detects when web sites are spidered. The administrator
can configure it as Block, in order to forbid the spidering of web
sites.
However, an attacker can generate a Cross Site Scripting when the
Web Scraping is blocked. Technical details are unknown.
When the anti Web Scraping feature is enabled in BIG-IP
Application Security Manager, an attacker can therefore generate a
Cross Site Scripting.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/BIG-IP-ASM-Cross-Site-Scripting-via-Web-Scraping-10795