Forum Discussion

AHMADAD's avatar
AHMADAD
Icon for Altostratus rankAltostratus
Feb 22, 2022

Block specific parameter value

Hello All,  I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below. BLOCK : https://hostname/index.html?para1=https://exampl...
security
waf
Ismael_Goncalves's avatar
Ismael_Goncalves
Icon for Employee rankEmployee
Feb 26, 2022

Hi AHMADAD,

It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:

1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)
2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter
3) Configure minum/maximum lenght of the parameter
4) Configure the parameter with a Regular Expression representing the data you are expecting 
5) Configure an Enum list in the param with expected values (this is completely static)
6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-ssrf.html and here https://support.f5.com/csp/article/K86285140 

My 2 cents.

 

  • AHMADAD's avatar
    AHMADAD
    Icon for Altostratus rankAltostratus
    Mar 07, 2022

    Hi Ismael_Goncalves

    Thanks a lot for the helpful options,  i will definitely consider options 1,2 and 6.