Forum Discussion

Nimbostratus

Apr 10, 2023

ASM irule to disable attack signature authorization header with specific value

hello is there an irule to DISABLE ASM attack signature on the Authorization header if value contains "Bearer" but still check attack signature on rest of the payload

devops

security

Enes_Afsin_Al
Apr 10, 2023
Hi f5learner,

Can you try this iRule?

when ASM_REQUEST_DONE { if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [HTTP::header Authorization] starts_with "Bearer" } { ASM::unblock } }

Trigger ASM iRule Events Mode should be set Normal on the WAF policy.

Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked.
Enes_Afsin_Al
Apr 20, 2023
Hi,

When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".

A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.

https://clouddocs.f5.com/api/irules/ASM__violation_data.html

f5learner

Nimbostratus

Thank you for your help

by changing to CONTAINS allowed bypass for other violations in Blocking mode as well, for example I blacklisted my source IP but the request was allowed so that should not happen

The flow could look like this

Part one

if ONLY violation name VIOLATION_ATTACK_SIGNATURE exist with Authorization header with value starts with Bearer - Unblock
it can be achieved per your initial help with following if statement with eq

if { [ASM::violation names] eq "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [b64decode [llookup [ASM::violation details] "header.header_name"]] eq "Authorization" && [HTTP::header Authorization] starts_with "Bearer" }

second part would be

if ONLY violation name VIOLATION_ATTACK_SIGNATURE exist with Authorization header with value starts with Bearer (first part above) BUT ALSO ANY another violation exist BUT with ONLY Applied Blocking Settings Alarm and Learn or ALARM OR LEARN - then Unblock as well

accomplishing second part above would also ensure that Part one above will not be impacted if other triggers are only in alarm/learn mode?

f5learner

Nimbostratus

Apr 20, 2023

I am not sure if it is possible to be that granular? please let me know thank you for your help

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

ASM irule to disable attack signature authorization header with specific value

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

JWT authorization with NGINX Ingress Controller

OWASP Tactical Access Defense Series: Broken Function Level Authorization (BFLA)

iRule - Authorization Bearer / Basic

OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM

Resolve Citrix Secure Ticket Authority (STA)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS