Forum Discussion
CirrostratusBlock keywords
Hello,
I am looking for a way to block access based on the presence of certain keywords contained within the URL. For eg:
GET /ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=
We are already blocking the pattern /CTC/.* from the Internet and internal networks using an irule, but the concern is that there may be other paths that would allow an attacker to run commands such as EXECUTE_CMD , CMDLINE etc.
Is there a way to block these keywords regardless of the URL patterns being accessed.
Thanks,
Karthik
3 Replies
ArieAltostratus
This could be tricky, as you would have to check for valid variations (e.g. encoded) as well. A simple string-comparison would still leave room for attackers.
Would you happen to have a license for ASM? That would be the best way to cover the variations an attacker would use.
Another option would be to implement some kind of authentication mechanism.
- Arie
It would be best to harden the application. A quick search for "hardening SAP" yield numerous resources (including from SAP).
You may end up having to do both (i.e. harden SAP and augment security on the BIG-IP) - depending on the version of SAP you're running and the options it offers for security/hardening.
There's a presentation on OWASP's web site that seems to indicate that there are quite a few more problems than the URL commands. It's several years old, so perhaps SAP has fixed those security issues. On the other hand, I found more recent articles that also detail security problems with SAP.
Karthik_Krishn1Thanks Arie. We are going to be putting up an ASM in the near future and applying relevant SAP Notes. However, in the meantime I need to quickly block these keywords and would appreciate any help in getting this done
