Forum Discussion

4 Replies


    It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:

    1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)
    2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter
    3) Configure minum/maximum lenght of the parameter
    4) Configure the parameter with a Regular Expression representing the data you are expecting 
    5) Configure an Enum list in the param with expected values (this is completely static)
    6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario: and here 

    My 2 cents.



    you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:

    ALLOW: https://hostname/index.html?para1=name1.html

    Or do you consider this a page and pages are allowed?

    Could you explain what you are trying to protect or prevent with this?  Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature

    However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.


    • AHMADAD's avatar
      Icon for Altostratus rankAltostratus

      Hi Daniel, 

      Thank you for your response.

      Exactly, i considered this a page and its allowed but i don't want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉 

      Thanks for sharing the CSRF link, we don't want to apply this solution as we have not tested it for this specific application and it may has negative side effects