SOL12953 - A Cross-Site Scripting (XSS) vulnerability exists in the BIG-IP ASM Web Scraping feature

ID SOL12953
Type f5
Reporter f5
Modified 2016-07-25T00:00:00


To determine if the BIG-IP ASM configuration contains any vulnerable security policies, check whether the policies configured on the system have the Web Scraping feature set to Block. To do so, open the Configuration utility and navigate to Application Security >> Policy List >> [policy_name] >> Blocking >> Settings >> Web scraping detected. If the Block setting for the Web scraping detected input violation is selected, the policy is susceptible to cross-site scripting (XSS) attacks.

Note: For more information about the Web Scraping feature, refer to the Configuration Guide for BIG-IP Application Security Manager.

F5 Product Development is tracking this issue as IDÂ 360825.

This issue has been fixed in cumulative hotfix Hotfix-BIGIP-10.2.2-852.0-HF1, which has been issued for BIG-IP 10.2.2. You may download this hotfix or later versions of the cumulative hotfix from the F5 Downloads site.

For information about installing a hotfix for version 10.x systems, refer to SOL10025: Managing F5 product hotfixes for BIG-IP 10.x systems.

For information about downloading software from F5, refer to SOL167: Downloading software from F5.

For information about the F5 hotfix policy, refer to SOL4918: Overview of the F5 critical issue hotfix policy.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.


To work around this issue, disable the Block setting for the Web Scraping Detected violation on the Blocking Policy screen. To do so, perform the following procedure:

Impact of workaround: The BIG-IP ASM system will not block detected web scraping violations.

  1. Log in to the BIG-IP ASM Configuration utility.
  2. Navigate to Application Security > Policies List.
  3. Click the security policy name in which the Web Scraping violation is set to Block.
  4. From the Blocking menu, select Settings.
  5. In the Input Violation section, clear the Block setting for the Web Scraping Detected violation.
  6. Click Save.
  7. Click Apply Policy.


F5 would like to acknowledge cirosec for their efforts in identifying this issue.

Supplemental Information