For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bobby_Hood_3633's avatar
Bobby_Hood_3633
Icon for Nimbostratus rankNimbostratus
Jun 27, 2018

Blocking URLs with certain characters

I'm trying to use an iRule to drop any connections to a web server that include the less-than or greater-than characters in the URL. This is what I have so far. "illegal_url_chars" is a data group list containing two strings for the < and > characters.

It's not currently working and nothing is getting logged. This is my first iRule so any help is appreciated.

We're on v11.6.0 and upgrading to 13 soon.

when HTTP_REQUEST {
  if { [class match [HTTP::uri] contains illegal_url_chars] } {
    log local0. "Detected illegal URL characters from [IP::client_addr]"
    log local0. "[HTTP::request]"
    TCP::close
    drop
  }
}
LTM
security

4 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 28, 2018

    Hi,

     

    you can try this code:

     

    when HTTP_REQUEST {
  if { [string match {*[<>]*} [HTTP::uri]} {
    log local0. "Detected illegal URL characters from [IP::client_addr]"
    log local0. "[HTTP::request]"
    TCP::close
    drop
  }
}

    If the URI is encoded, you have to convert it before check

     

    when HTTP_REQUEST {
    set uri [URI::decode [HTTP::uri]]
  if { [string match {*[<>]*} $uri} {
    log local0. "Detected illegal URL characters from [IP::client_addr]"
    log local0. "[HTTP::request]"
    TCP::close
    drop
  }
}
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jul 02, 2018

    If you have ASM, you can do It easly... Otherwise you can use Stanislas Irule wich responds perfectly to your needs...