Block specific parameter value

Question

Hello All,&nbsp;I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below.BLOCK : https://hostname/index.html?para1=https://example.comALLOW: https://hostname/index.html?para1=name1.htmlI dont have the option to use static parameter type because of the nature of the web app, can someone share ideas or best approch ?&nbsp;

ismael_goncalves · Answer

Hi&nbsp;AHMADAD,
It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:
1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter3) Configure minum/maximum lenght of the parameter4) Configure the parameter with a Regular Expression representing the data you are expecting&nbsp;5) Configure an Enum list in the param with expected values (this is completely static)6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario:&nbsp;https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-ssrf.html&nbsp;and here&nbsp;https://support.f5.com/csp/article/K86285140&nbsp;
My 2 cents.
&nbsp;

daniel_wolf · Answer

Hi&nbsp;AHMADAD,&nbsp;
you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:
ALLOW:&nbsp;https://hostname/index.html?para1=name1.html
Or do you consider this a page and pages are allowed?
Could you explain what you are trying to protect or prevent with this?&nbsp; Are you trying to protect yourself from CSRF? There is a solution for this:&nbsp;K11930: Overview of the BIG-IP ASM CSRF protection feature.&nbsp;
However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.
KRDaniel

ahmadad · Answer

Hi Daniel,&nbsp;Thank you for your response.Exactly, i considered&nbsp;this a page and its allowed but i don't&nbsp;want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉&nbsp;Thanks for sharing the CSRF link, we don't&nbsp;want to apply this solution as we have not tested it for this specific application and it may has negative side effects&nbsp;

ahmadad · Answer

Hi&nbsp;Ismael_GoncalvesThanks a lot&nbsp;for the helpful options,&nbsp; i will definitely consider&nbsp;options 1,2 and 6.&nbsp;

Forum Discussion

Block specific parameter value

Recent Discussions

why the device certificate verify failed when the device certificate is not expired?

how does gtm/dns monitor wild-ip pool members?

3rd party SFP

Custom Attack Signature for Accept Header

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

Related Content

ASM blocked request contains & (ampersand) symbol in parameter value

Post of the Week: Blocking a Specific URI

ASM block all whitelisted urls and parameters in standby device

Brute Force protection for single parameter like OTP

Block IP after a number of ASM Blocks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS