Forum Discussion

Nimbostratus

Dec 04, 2015

Solved

ASM - Block GET requests on a specific URL

Hello, I'm trying hard to block GET request on a specific URL with the ASM module. This URL has to allow only POST request and I saw that GET / POST request are allowed by default in the methods...

ASM Advanced WAF

BIG-IP

security

Hannes_Rapp_162
Dec 07, 2015
1 - Creating a new User-defined ASM violation

Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"

Sample Field Values (adjust as needed): Name "VIOLATION_FORBIDDEN_GET_PATH" Title "GET Request to a restricted path" Type "Access Violation" Severity "Alert" Attack Type "Abuse of Functionality" Description (leave empty)

2 - Go to Blocking Settings

Select Block for your new custom violation (or Alarm, if you want to transparently test)

3 - Creating an iRule

The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.

when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{ set reqBlock 1 } } when ASM_REQUEST_DONE { if { $reqBlock == 1} { ASM::raise VIOLATION_FORBIDDEN_GET_PATH } }

Hannes_Rapp_162

Nacreous

Dec 07, 2015

1 - Creating a new User-defined ASM violation

Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"

Sample Field Values (adjust as needed):
Name "VIOLATION_FORBIDDEN_GET_PATH"
Title "GET Request to a restricted path"
Type "Access Violation"
Severity "Alert"
Attack Type "Abuse of Functionality"
Description (leave empty)

2 - Go to Blocking Settings

Select Block for your new custom violation (or Alarm, if you want to transparently test)

3 - Creating an iRule

The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.

when HTTP_REQUEST {
  set reqBlock 0
  if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{
    set reqBlock 1
  }
}
when ASM_REQUEST_DONE {

  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_GET_PATH
  }
}

Stanislas_Piro2
Cumulonimbus
Dec 10, 2015
Hi, nice solution! Is it possible to check HTTP method and HTTP path in ASM_REQUEST_DONE event?
Hannes_Rapp_162
Nacreous
Dec 10, 2015
Worth a try, but I'd expect a TCL error to occur. At least in case of 11.3, this was not possible. Perhaps a newer version already supports common HTTP_REQUEST functions to be called in ASM_REQUEST_DONE event.
Bharat_Merja_24
Historic F5 Account
Dec 28, 2016
Hi, Used same context in my iRule as follow: But not able to get ASM_REQUEST_DONE event triggered.

when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] starts_with "/home/")}{ set reqBlock 1 log local0. "now reqBlock = $reqBlock" } }

when ASM_REQUEST_DONE { log local0. "ASM_REQUEST_DONE triggered" if { $reqBlock == 1 } { ASM::raise BLOCK_PATH_ACCESS log local0. "ASM have raised BLOCK_PATH_ACCESS" }

}
Don't know reason.. Have tried to use the same on 11.6.x and 12.1.1 same results. not able to get log "ASM_REQUEST_DONE triggered"
Stanislas_Piro2
Cumulonimbus
Dec 28, 2016
Hi,

you must enable "Trigger ASM iRule events" on ASM policy 'Security / Policy / Your Policy / Advanced view)
Bharat_Merja_24
Historic F5 Account
Jan 04, 2017
Hi,

Thanks a million, it works.