Reference: Attack Signatures

Attack signatures in a security policy are compared with requests or responses to attempt to identify classes of attacks, for example, SQL injection, command injection, cross-site scripting, and directory traversal.

Attack signature properties

Property Description
Signature ID Specifies the signature number automatically provided by WAF.
Signature Type Specifies whether the signatures are for all traffic, for requests only, or for responses only.
Signature Scope The different parts of the request input used in signatures to search for specific fixed strings.
Attack Type Attack signatures in a security policy are compared with requests or responses to attempt to identify classes of attacks, for example, SQL injection, command injection, cross-site scripting, and directory traversal. See Attack Types.
Systems Displays which systems (for example, web applications, web server databases, or application frameworks) the signature or set protects.
Risk Indicates the level of potential damage this attack might cause if it is successful. Low indicates the attack does not cause direct damage or reveal highly sensitive data. Medium indicates the attack may reveal sensitive data or cause moderate damage. High indicates the attack may cause a full system compromise.
Accuracy Indicates the ability of the attack signature to identify the attack including susceptibility to false-positive alarms. Low indicates a high likelihood of false positives. Medium indicates some likelihood of false positives. High indicates a low likelihood of false positives.
Last Updated Indicates the date when the attack signature was most recently updated.
CVE The Common Vulnerabilities and Exposures (CVE) number.
Reference When available, displays an F5-trusted link to an external web site explaining full details of the attack signature.

Attack types

This table describes the types of attacks that attack signatures can detect. You can filter lists of attack signatures by attack type.

Attack Type Description
Abuse of Functionality Uses a web site's own features and functionality to consume, defraud, or circumvent the application’s access control mechanisms.
Authentication/Authorization Attacks Targets a web site's method of validating the identity of a user, service or application. Authorization attacks target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action.
Buffer Overflow Alters the flow on an application by overwriting parts of memory. An attacker could trigger a buffer overflow by sending a large amount of unexpected data to a vulnerable component of the web server.
Command Execution Occurs when an attacker manipulates the data in a user-input field, by submitting commands that could alter the web page content or web application by running a shell command on a remote server to reveal sensitive data-for example, a list of users on a server.
Cross-site Scripting (XSS) Forces a web site to echo attacker-supplied executable code, which loads in a user's browser.
Denial of Service Overwhelms system resources to prevent a web site from serving normal user activity.
Detection Evasion Attempts to disguise or hide an attack to avoid detection by an attack signature.
Directory Indexing Involves a web server function that lists all of the files within a requested directory if the normal base file is not present.
HTTP Response Splitting Pertains to an attempt to deliver a malicious response payload to an application user.
Information Leakage Occurs when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
LDAP Injection Concerns an attempt to exploit web sites that construct LDAP statements from user-supplied input.
Non-browser Client Relates to an attempt by automated client access to obtain sensitive information. HTML comments, error messages, source code, or accessible files may contain sensitive information.
Other Application Attacks Represents attacks that do not fit into the more explicit attack classifications, including email injection, HTTP header injection, attempts to access local files, potential worm attacks, CDATA injection, and session fixation.
Path Traversal Forces access to files, directories, and commands that potentially reside outside the web document root directory.
Predictable Resource Location Attempts to uncover hidden web site content and functionality.
Remote File Include Occurs as a result of unclassified application attacks such as when applications use parameters to pass URLs between pages.
Server Side Code Injection Attempts to exploit the server and allow an attacker to send code to a web application, which the web server runs locally.
SQL-Injection Attempts to exploit web sites that construct SQL statements from user-supplied input.
Trojan/Backdoor/Spyware Tries to circumvent a web server’s or web application’s built-in security by masking the attack within a legitimate communication. For example, an attacker may include an attack in an email or Microsoft Word document, and when a user opens the email or document, the attack starts.
Vulnerability Scan Uses an automated security program to probe a web application for software vulnerabilities.
XPath Injection Occurs when an attempt is made to inject XPath queries into the vulnerable web application.