https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13207#M341 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I would suggest you look for /jwplayer/player.swf in the http-req-uri and a length of greater than 0 for the http-req-param-length.</P></BODY></HTML> Thu, 13 Dec 2012 22:27:58 GMT tettema 2012-12-13T22:27:58Z https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13206#M340 <HTML><HEAD></HEAD><BODY><P style="margin-top: auto; margin-bottom: auto;">Hi All,<BR /> <BR /> We are making the creation of a "Custom Signature" to detect an XSS vulnerability identified in the player JWPLAYER</P><P> The vulnerability occurs in / media / players / jwplayer / player.swf and HDSMediaProvider.swf. <BR /> Model: PA-4050<BR /> Software Version: 4.0.11</P><P> <BR /> For this we register accesses can be made to the player JWPLAYER with parameters in the URL.<BR /> Examples:<BR /> <A href="http://www.xxxx.xx/media/players/jwplayer/player.swf?abouttext=xxxxxx&amp;aboutlink=http://www.xxxx.xxx" target="_blank">http://www.xxxx.xx/media/players/jwplayer/player.swf?abouttext=xxxxxx&amp;aboutlink=http://www.xxxx.xxx</A></P><P style="margin-top: auto; margin-bottom: auto;"><A href="http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxx.xxx&amp;image=http://" target="_blank">http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxx.xxx&amp;image=http://</A>xxxx.xxxx</P><P style="margin-top: auto; margin-bottom: auto;"><A href="http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxxx.xxx&amp;logo.file=http://xxxxx.xxx&amp;logo.link=" target="_blank">http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxxx.xxx&amp;logo.file=http://xxxxx.xxx&amp;logo.link=</A>xxxxxxx</P><P style="margin-top: auto; margin-bottom: auto;"><BR /> <BR /> To create it first was used in an attempt to record all requests containing .swf? and indicating the call with parameters:<BR /> OPERATOR: Pattern Match<BR /> CONTEXT: REQ-HTTP-HEADERS<BR /> PATTERN: .*jwplayer /. *swf \? (.*) Also with&nbsp; ".*jwplayer /. *swf \?"<BR /> This rule did not detect the parameters<BR /> <BR /> Then we used 2 conditions with the following configuration:<BR /> And Condition 1:<BR />&nbsp; OPERATOR: PATTERN-MATCH<BR />&nbsp; CONTEXT: HTTP-REQ-URI-PATH<BR />&nbsp; PATTERN: .*jwplayer /.*swf<BR /> And Condition 2<BR />&nbsp; OPERATOR: PATTERN-MATCH<BR />&nbsp; CONTEXT: HTTP-REQ-PARAMS<BR />&nbsp; PATTERN: .*((file)|(abouttext)|(image)) While it should detect any url parameter, these are the ones who were using for testing.<BR /> <BR /> But it happened that not all parameters are detected. Therefore, the pattern will change to ((.+)|(abouttext)), since the minimum length is 7, but still does not detect any parameter.</P><P style="margin-top: auto; margin-bottom: auto;"><SPAN id="result_box" lang="en"><SPAN class="hps">The purpose</SPAN> <SPAN class="hps">of</SPAN> <SPAN class="hps">the rule</SPAN> <SPAN class="hps">is to detect any</SPAN> <SPAN class="hps">url</SPAN> <SPAN class="hps">with</SPAN> <SPAN class="hps">parameters</SPAN></SPAN></P><P></P><P>Sorry for the google translation</P></BODY></HTML> Thu, 13 Dec 2012 11:39:15 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13206#M340 noc_soc 2012-12-13T11:39:15Z https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13207#M341 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I would suggest you look for /jwplayer/player.swf in the http-req-uri and a length of greater than 0 for the http-req-param-length.</P></BODY></HTML> Thu, 13 Dec 2012 22:27:58 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13207#M341 tettema 2012-12-13T22:27:58Z https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13208#M342 <HTML><HEAD></HEAD><BODY><P><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps">It's</SPAN> <SPAN class="hps">just what we need</SPAN>.<BR /><SPAN class="hps">Thanks for the reply</SPAN></SPAN></P></BODY></HTML> Mon, 17 Dec 2012 11:22:07 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/issues-with-custom-vulnerability/m-p/13208#M342 noc_soc 2012-12-17T11:22:07Z