For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Frank_Schuhmach's avatar
Frank_Schuhmach
Icon for Altostratus rankAltostratus
Aug 06, 2014

Brute Force Protection Configuration, Access Validation match sucessfull logons with Location Header, Syntax ?

I have a problem with ASM in the Brute Force Protection Configuration, Access Validation match sucessfull logons. The response of the logon page is only a redirect ( no further content ), here in case of a failed logon

 

HTTP/1.1 302 Found  
Date: Wed, 06 Aug 2014 14:14:11 GMT  
P3P: CP="NOI DSP COR NID CURa OUR NOR OTC"  
Location: https://servername/shop/viewUserHome.do  
Content-Length: 0  
Keep-Alive: timeout=15, max=100  
Connection: Keep-Alive  
Content-Type: text/html

in case of a successfull logon the redirect location can be one of the following

 

Location: https://servername/shop/initiateOrder.do  
Location: https://servername/shop/viewUserHome.do

Because the same server/application works with muliple hostnames ( named based virtual hosting) the same logon uri is used and therefore the servername can change, reason why i tried wildcards.

 

In the Brute Force Protection Configuration i defined in Access Violation to match sucessfull logons

 

Expected HTTP response status code   
-> 302  
Expected validation header name and value (for example, Location header), here i tried  
-> Location: .*viewUserHome\.do|Location: .*initiateOrder\.do 
-> Location: */shop/viewUserHome.do  
also for tests  
-> Location: https://servername/shop/viewUserHome.do

In no case the validation header matches and the "Maximum login attempts exceeded" is generated.

 

Does somebody knows correct syntax for the Expected validation header name and value field ? Are wildcards possible ? or regex ?

 

ASM Advanced WAF
deployment
security

3 Replies

  • Frank_Schuhmach's avatar
    Frank_Schuhmach
    Icon for Altostratus rankAltostratus
    Aug 06, 2014
    Sorry, mistake, the Location Header in case of a failed logon is: Location: https://servername/shop/viewLogonForm.do
  • Frank_Schuhmach's avatar
    Frank_Schuhmach
    Icon for Altostratus rankAltostratus
    Aug 14, 2014

    After several tests it seems that the ASM cannot work with wildcards or regex in the expected validation header name and value field. So i found a solution writing iRule inserting an additional header in the server response. The iRule inserts the header before the ASM inspects the response. ASM now checks Expected validation header name and value field for "Login: succeeded"

    when HTTP_REQUEST {
     check if request is /shop/login.do , setting is_logon as flag 
    if { [HTTP::uri] equals "/shop/login.do" } {
        set is_logon true
    } else { set is_logon false }
}

when HTTP_RESPONSE {
     check if response is a Redirect and my flag is_logon set
    if { [HTTP::is_redirect] && $is_logon } {
           if { [HTTP::header Location] ends_with "/shop/viewLoginForm.do" } {
             HTTP::header insert Login failed
           }
           elseif { [HTTP::header Location] ends_with "/shop/viewUserHome.do" || [HTTP::header Location] ends_with "/shop/initiateOrder.do" } {
             HTTP::header insert Login succeeded
           }
     }
}