OWASP 2017 TOP 10

And how BIG-IP ASM mitigates the vulnerabilities.

	Vulnerability	BIG-IP ASM Controls
A1	Injection Flaws	Attack signatures Meta character restrictions Parameter value length restrictions
A2	Broken Authentication and Session Management	Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection
A3	Sensitive Data Exposure	Data Guard Attack signatures (“Predictable Resource Location” and “Information Leakage”)
A4	XML External Entities (XXE)	Attack signatures (“Other Application Attacks” - XXE) XML content profile (Disallow DTD) (Subset of API protection)
A5	Broken Access Control	File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (“Directory traversal”)
A6	Security Misconfiguration	Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement
A7	Cross-site Scripting (XSS)	Attack signatures (“Cross Site Scripting (XSS)”) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer)
A8	Insecure Deserialization	Attack Signatures (“Server Side Code Injection”)
A9	Using components with known vulnerabilities	Attack Signatures DAST integration
A10	Insufficient Logging and Monitoring	Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

• 200018018           External entity injection attempt

• 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):