Block specific parameter value

Hi AHMADAD,

It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:

1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)
2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter
3) Configure minum/maximum lenght of the parameter
4) Configure the parameter with a Regular Expression representing the data you are expecting 
5) Configure an Enum list in the param with expected values (this is completely static)
6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-ssrf.html and here https://support.f5.com/csp/article/K86285140 

My 2 cents.

 

Hi AHMADAD, 

you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:

ALLOW: https://hostname/index.html?para1=name1.html

Or do you consider this a page and pages are allowed?

Could you explain what you are trying to protect or prevent with this?  Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature. 

However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.

KR
Daniel