For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jinshu's avatar
Jinshu
Icon for Cirrus rankCirrus
Jul 27, 2016

Custom ASM block for HTTP methods

Hi,

I want to block all HTTP methods except GET using ASM. I amk using below irule for blocking and raise ASM violation but somehow irule execution is getting failed while testing with HTTP method POST. I'm unable to find the reason for this failure. Can somebody help please?

when HTTP_REQUEST {
    set reqBlock 0
    if { ( [HTTP::method] equals "GET" ) } {
        return
    } else {
        set reqBlock 1
    }
}   
when ASM_REQUEST_DONE {

  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_GET_PATH
  }
}
ASM Advanced WAF
security

7 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jul 27, 2016

    how does it fail? what error do you get? there is an ASM policy on the virtual server right?

     

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2016

    Looks like a mashup of my custom violation iRule. Tehcnically, it should work - maybe you have cache of previous results (webacceleration profile)?

    This should do the trick in v11.x

    when HTTP_REQUEST {
  set reqBlock 0
  if { not ( [HTTP::method] eq "GET" ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_METHOD
  }
}

    Also note that if you can upgrade to v12.1, you will get a better built-in control over allowed http methods per URL (also works with wildcard URLs):

    https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-12-1-0.html

    Enforcing a method on a URL

     

    You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.
  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Hi,

     

    I have found the issue. It was the custom violation causing the issue. I have modified it and it worked like a champ.

     

    btw, I'm using 11.5 version.

     

    Thanks guys for your help.

     

    -Jinshu

     

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Jul 27, 2016

    Hi

     

    You should not need an iRule for this one...

     

    Check out Security > Application Security > Headers > Methods

     

    Sincerely

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Hi Yoann, We cant modify the default GET and POST from there...

     

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Jul 27, 2016

    Hi

     

    When I see the irule I am not sure why the policy setting is not enough... But anyhow, have you also checked the box "Trigger ASM iRule Events" in the policy settings ?

     

    Yoann

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Yes. I have solved the issue. It was the custom violation causing the issue. I have modified it and it worked.

     

    Thank you.