Forum Discussion

Amine_373499's avatar
Amine_373499
Icon for Nimbostratus rankNimbostratus
Dec 24, 2018

ASM : Allow specific tricky URL

Good morning all ,

Well i have to URL that are driving me crazy and i cannot figure out the best way to allow :

first one : 

/email/id_user/user@outlook.com
==> trigger violation of file type 
/email/id_user/user2@outlook.edu.us
==> trigger violation of file type i'm thinking about using regex but i don't know how or where ( with Irules or in "allowed url " )

Second one : 

image/avatar/pic01234521.jpg'/
==> trigger illegal metacharac so how can i allow the ' but only in this path.

I'm looking for the most optimal , secure way to do this work .

And I know this should be simple but I just cant get it working?? Any help will be met with massive amounts respect.

ASM Advanced WAF
iRules
security
  • DaveMu_375542's avatar
    DaveMu_375542
    Icon for Nimbostratus rankNimbostratus
    Dec 24, 2018

    Hi Amine,

    If you want to get something like 

    image/avatar/pic01234521.jpg'/
    through;

    • In "Allowed URLs", you can create one like 
      image/avatar/*
    • Change it from "Explicit" to "Wildcard"
    • Click the "Meta Characters" tab that pops up next to "Attack Signatures"
    • Then add the 
      '(0x27)
      from the list

    That will allow any URI starting with 

    image/avatar/
    , even if it contains a 
    '
    metacharacter.

  • DaveMu_375542's avatar
    DaveMu_375542
    Icon for Nimbostratus rankNimbostratus
    Dec 24, 2018

    As to your first question, you could add each of those top level domains to the Allowed File Types. Each violation in the ASM logs should also allow you to learn them individually. If that's impractical for you, you could also write an iRule. It could say something like, IF the URI starts with "/email/id_user/", AND triggers a File Type Violation, it should be UNBLOCKED, but any other violations should remain BLOCKED.

     

    • Amine_373499's avatar
      Amine_373499
      Icon for Nimbostratus rankNimbostratus
      Dec 25, 2018

      it's impossible to do it with file type, cauz i ll need to add a lot of extention .ma . fr .com .edu ... a lot .. So i love u're second suggestion ! but can you help more , i've no idea to make it work with Irule !

       

      and also i want to thank you for ur help !

       

    • Amine_373499's avatar
      Amine_373499
      Icon for Nimbostratus rankNimbostratus
      Dec 25, 2018

      i wonder if i put this reg as allowed url \/([a-zA-Z0-9_\-.]+)@([a-zA-Z0-9_\-.]+).([a-zA-Z]{2,5})(\/.)?$

       

      should it work ?

       

    • DaveMu_375542's avatar
      DaveMu_375542
      Icon for Nimbostratus rankNimbostratus
      Dec 27, 2018

      You can allow that regular expression in Application Security > Parameters > Parameters List. Create a new Explicit parameter, select "URL" for Parameter Level and enter your path. You can then enable the regular expression in the DataType tab. "enable" the check box and add your expression.

       

      Here's a good intro to how iRules works, but I think the following should unblock any request that starts with "/email/id_user/" and also triggers a filetype violation.

       

      if { ([HTTP::uri] starts_with "/email/id_user/") and ([ASM::violation names] equals [VIOLATION_OBJ_TYPE]) } { 
    [ASM::unblock]
   }

      I hope this helps!