For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

2funky_105078's avatar
2funky_105078
Icon for Cirrus rankCirrus
Sep 06, 2016

ASM - order of precedence in denying rules

Hello,

 

  1. I have a list of few URLs allowed, which has been enforced OK.
  2. I finished the learning process (disabled both RTPB and learning for URL entities (set to Neve - Wildcard Only)
  3. I dont have any * wildcard in the allowed-URLs list
  4. I do have .php as allowed file extension

Why ASM does not block me a non-exisitng url like hhhhhhhhhh.php (why it uses rule 4 and not 1 to deny this page).

 

how can i allow only a limited set of URLs with a particular extension?

 

More in general, if there are overlapping policy rules in URLs/FileTypes, which ones are enforced first?

 

ASM Advanced WAF
security

4 Replies

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Sep 06, 2016

    1. In regards to first question, do you have 

      Blocking
      tickbox selected for "Illegal URL" violation? You can check this in Security -> App Security -> Blocking -> Settings (If not, select it, save changes, and apply changes to policy)

    2. If you have listed php in your Allowed File Types but have not allowed "/hhhhhhhhhh.php" URL, then any requests to that path will be blocked assuming that:

      • 2.1 You have configured your policy to block requests to "Illegal URLs" (see 1.). "Illegal URL" violation occurs when a matching HTTP path is not found in "Allowed URLs".

      • 2.2 A Wildcard (*) is not in the "Allowed URLs" list

      • tl;dr: Both are evaluated, the URL as well as the File Type. If a violation is triggered on either condition, the other condition cannot supersede and "unblock the request". Therefore, it's not relevant which condition is evaluated first.

    Also note that ASM uses incorrect terminology as 'Allowed URL' is technically a 'Allowed HTTP Path'. What's more, there are some problems with what ASM calls a 'Parameter', but that's not really related here. Just acknowledge that incorrect use of terminology is common in the module, and it will stretch out the learning curve or even contribute to some incidents because of misunderstanding.

    • Jinshu's avatar
      Jinshu
      Icon for Cirrus rankCirrus
      Sep 06, 2016

      Cheers Hannes.. You rock.!!

       

      -Jinshu

       

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2016

    1. In regards to first question, do you have 

      Blocking
      tickbox selected for "Illegal URL" violation? You can check this in Security -> App Security -> Blocking -> Settings (If not, select it, save changes, and apply changes to policy)

    2. If you have listed php in your Allowed File Types but have not allowed "/hhhhhhhhhh.php" URL, then any requests to that path will be blocked assuming that:

      • 2.1 You have configured your policy to block requests to "Illegal URLs" (see 1.). "Illegal URL" violation occurs when a matching HTTP path is not found in "Allowed URLs".

      • 2.2 A Wildcard (*) is not in the "Allowed URLs" list

      • tl;dr: Both are evaluated, the URL as well as the File Type. If a violation is triggered on either condition, the other condition cannot supersede and "unblock the request". Therefore, it's not relevant which condition is evaluated first.

    Also note that ASM uses incorrect terminology as 'Allowed URL' is technically a 'Allowed HTTP Path'. What's more, there are some problems with what ASM calls a 'Parameter', but that's not really related here. Just acknowledge that incorrect use of terminology is common in the module, and it will stretch out the learning curve or even contribute to some incidents because of misunderstanding.