Forum Discussion
AltocumulusAPM URL encoding Hardening?
Hi Ted-Nordvall,
I used our F5 Irules Assistant Video to help analyze your current irule, functionally it works fine. Putting on a security cap probably a good idea to have AWAF on this VS as well to help with the HTTP compliance and signature matching at a bare minimum. I did look at some possible enhancements to secure up the iRule -
when RULE_INIT { # Build map once. Note: in a braced list, "\" = literal '\', "\{" = '{', etc. # \r and MUST be encoded to prevent CRLF / smuggling. set static::uri_encode_map [list \ "\{" "%7B" "\}" "%7D" "|" "%7C" "\" "%5C" \ "^" "%5E" "\`" "%60" " " "%20" """ "%22" \ "<" "%3C" ">" "%3E" "\r" "%0D" " " "%0A" \ "\x00" "%00" "\x01" "%01" "\x02" "%02" "\x03" "%03" \ "\x04" "%04" "\x05" "%05" "\x06" "%06" "\x07" "%07" \ "\x08" "%08" "\x09" "%09" "\x0B" "%0B" "\x0C" "%0C" \ "\x0E" "%0E" "\x0F" "%0F" "\x7F" "%7F"] } when HTTP_REQUEST { set orig_uri [HTTP::uri] set new_uri [string map $static::uri_encode_map $orig_uri] if { $new_uri ne $orig_uri } { HTTP::uri $new_uri } }And here is what our AI assistant had to say about it:
AI Assistant 09:29 am
Objective
• Ensure that any unsafe or smuggling‐prone characters in the incoming HTTP request URI are percent-encoded before being sent to the pool member.
• Build a static lookup map once at rule initialization to translate braces, control characters, whitespace, and other disallowed bytes into their “%XX” forms.
• On each HTTP request, compare the original URI to its encoded version and update it if any translation occurred.
Execution Flow
• RULE_INIT event
– Runs when the iRule is loaded.
– Uses set static::uri_encode_map [list …] to construct a list of character-to-percent-encoding pairs in a static variable.
• HTTP_REQUEST event
– Triggers after full parsing of client HTTP headers (per docs for HTTP_REQUEST).
– set orig_uri [HTTP::uri] retrieves the raw path and query string.
– set new_uri [string map $static::uri_encode_map $orig_uri] applies all mappings from the static map.
– If the mapped URI differs (if { $new_uri ne $orig_uri }), call HTTP::uri $new_uri to set the rewritten URI toward the server.
Overall summary: This iRule cleanly builds a reusable encoding map at initialization and applies it on each HTTP request to neutralize potential CRLF or directory-traversal threats, using documented BIG-IP iRule commands as intended.
Please test in non-prod environment/qa. Hope it helps
EmployeeHi Ted-Nordvall,
I used our F5 Irules Assistant Video to help analyze your current irule, functionally it works fine. Putting on a security cap probably a good idea to have AWAF on this VS as well to help with the HTTP compliance and signature matching at a bare minimum. I did look at some possible enhancements to secure up the iRule -
when RULE_INIT {
# Build map once. Note: in a braced list, "\" = literal '\', "\{" = '{', etc.
# \r and
MUST be encoded to prevent CRLF / smuggling.
set static::uri_encode_map [list \
"\{" "%7B" "\}" "%7D" "|" "%7C" "\" "%5C" \
"^" "%5E" "\`" "%60" " " "%20" """ "%22" \
"<" "%3C" ">" "%3E" "\r" "%0D" "
" "%0A" \
"\x00" "%00" "\x01" "%01" "\x02" "%02" "\x03" "%03" \
"\x04" "%04" "\x05" "%05" "\x06" "%06" "\x07" "%07" \
"\x08" "%08" "\x09" "%09" "\x0B" "%0B" "\x0C" "%0C" \
"\x0E" "%0E" "\x0F" "%0F" "\x7F" "%7F"]
}
when HTTP_REQUEST {
set orig_uri [HTTP::uri]
set new_uri [string map $static::uri_encode_map $orig_uri]
if { $new_uri ne $orig_uri } {
HTTP::uri $new_uri
}
}
And here is what our AI assistant had to say about it:
AI Assistant 09:29 am
Objective
• Ensure that any unsafe or smuggling‐prone characters in the incoming HTTP request URI are percent-encoded before being sent to the pool member.
• Build a static lookup map once at rule initialization to translate braces, control characters, whitespace, and other disallowed bytes into their “%XX” forms.
• On each HTTP request, compare the original URI to its encoded version and update it if any translation occurred.
Execution Flow
• RULE_INIT event
– Runs when the iRule is loaded.
– Uses set static::uri_encode_map [list …] to construct a list of character-to-percent-encoding pairs in a static variable.
• HTTP_REQUEST event
– Triggers after full parsing of client HTTP headers (per docs for HTTP_REQUEST).
– set orig_uri [HTTP::uri] retrieves the raw path and query string.
– set new_uri [string map $static::uri_encode_map $orig_uri] applies all mappings from the static map.
– If the mapped URI differs (if { $new_uri ne $orig_uri }), call HTTP::uri $new_uri to set the rewritten URI toward the server.
Overall summary: This iRule cleanly builds a reusable encoding map at initialization and applies it on each HTTP request to neutralize potential CRLF or directory-traversal threats, using documented BIG-IP iRule commands as intended.
Please test in non-prod environment/qa. Hope it helps
AltocumulusHello Jeff,
thanks for your feedback and yes we have it paired with ASM 😊
I will try this out in our test-env.
Much appreciated!
