Forum Discussion

Nimbostratus

Aug 09, 2014

AlertLogic Vulnerability : "" Web Server Allows cross-Site Tracing"" : Suggestion Needed

Hi Team, Keeping in mind that GET and POST methods are used to request information from a web server, but as the HTTP protocol allows several others including HEAD, PUT, DELETE, TRACE, OPTIONS, ...

Historic F5 Account

Aug 10, 2014

THis iRule can block these methods but a few adjustments are needed:

1) matchclass is a old, with version 11.x you should use [class match ...] 2) [matchclass ] or [class match ..] do not work on TCL lists or arrays , they operate on BigIP datagroups. Create a "String" based datagroup and reference it in the irule.

3) Rather than listing the disallowed methods, the allowed list is shorter.

ltm data-group internal /Common/allowed_http_methods {
    records {
    "GET"
    "POST"
    }
    type string
}

ltm rule only_allowed_nethods {
when HTTP_REQUEST { 
      if { not ( [class match [HTTP::method] equals /Common/allowed_http_methods] ) }  
      { reject }
}

}

HTH

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)