Forum Discussion
F5Hopper_28651
Nimbostratus
NimbostratusBlocking embedded JAVA and HTML
Hey Guys,
Im not sure I need to do this on a firewall level or I can do it on the F5. I have looked around and didnt find anything that matched up with what I wanted to do.
Im trying to block all request with embedded JavaScript and embedded HTTP except for the /LocationsAdmin.aspx for HTTP.
Thanks for any help
Ryan
hooleylistCirrostratus
Hi Ryan,
Can you clarify your scenario? Do you want to block any HTTP request to a virtual server that was generated automatically from clientside Javascript? How can you differentiate these requests from ones you want to allow?
Aaron
F5Hopper_28651I think for a first volly I want to attack the blocking of the embedded JavaScript. We have had some XSS attacks and their dropping in JavaScript. I thought I might be able to look for anything javascript and block it 100%.
DEV showed me this URL for an example.
http://www.BLOCKED.com/contact.aspx?d=%3Cscript%20src=%22/assets/modernizr-539876544e0fec3c0dd90fa78e11d079.js%22%20type=%22text/javascript%22%3E%3C/script%3E
and HTTP as
http://www.BLOCKED.com/contact.aspx?d=%3Cbr+%2F%3E
Im not a code master so this could be sand script to me.
Thanks- hooleylistYou could try to use an iRule validate the HTTP requests which trigger the XSS being sent to the client, but iRules aren't very well suited for doing validation of payload parameters. That's where ASM (Application Security Manager) would really help. ASM provides full validation of the HTTP/S request components and provides very good default attack signatures and meta-character enforcement to mitigate XSS vulnerabilities.
Aaron