For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

0veracl0ud_1734's avatar
0veracl0ud_1734
Icon for Nimbostratus rankNimbostratus
Dec 04, 2015
Solved

ASM - Block GET requests on a specific URL

Hello,   I'm trying hard to block GET request on a specific URL with the ASM module. This URL has to allow only POST request and I saw that GET / POST request are allowed by default in the methods...
ASM Advanced WAF
BIG-IP
security
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Dec 07, 2015

    1 - Creating a new User-defined ASM violation

    Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"

    Sample Field Values (adjust as needed):
Name "VIOLATION_FORBIDDEN_GET_PATH"
Title "GET Request to a restricted path"
Type "Access Violation"
Severity "Alert"
Attack Type "Abuse of Functionality"
Description (leave empty)

    2 - Go to Blocking Settings

    Select Block for your new custom violation (or Alarm, if you want to transparently test)

    3 - Creating an iRule

    The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.

    when HTTP_REQUEST {
  set reqBlock 0
  if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{
    set reqBlock 1
  }
}
when ASM_REQUEST_DONE {

  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_GET_PATH
  }
}
0veracl0ud's avatar
0veracl0ud
Icon for Nimbostratus rankNimbostratus
Dec 07, 2015

Thanks a lot ! I understand the iRule and the way you create the User-defined violation. It could be helpful for my next ASM deployment.

 

Currently, I don't understand why I don't see the ASM violation when I make a GET request on the URI. I'm making a troubleshooting on that. I didn't forget to enable the BLOCK mode for this new violation...