F5 ASM appears not blocking filetypes in http query

Question

F5 v15.1.3.1My F5 ASM policy is configured to block command executions and illegal file typesbut for example if I try to browse this url:https://my.web.site/netstat.exe&nbsp;Then ASM blocks the requestBut if I try https://my.web.site/path?netstat.exeIt is not getting blockedAny explanation?&nbsp;

abed_al-r · Answer

HiThanks for your responseThat actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$

2)_ Create Attack Signature List
    Security  ››  Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
    Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy
    Security  ››  Application Security : Security Policies : Policies List  ››  &lt;Policy_name&gt;  &gt;&gt; Attack Signatures&nbsp;

samir · Answer

Good question..&nbsp;1.&nbsp;https://my.web.site/netstat.exe&nbsp; ==&gt; here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.2.&nbsp;https://my.web.site/path?netstat.exe&nbsp;==&gt; here URI is "path?netstat.exe" &amp; you have not asked ASM to blocked&nbsp;it and hence request is allowed. You need to act on&nbsp;positional parameters to block these kind of request.&nbsp;&nbsp;

abed_al-r · Answer

thanks for the replydo you mean that in the second example the netstat.exe is treated as parameter and not as fle type?and how should I act on positional parameters to block these kind of request?

samir · Answer

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

and how should I act on positional parameters to block these kind of request?

Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
Parameter Level: URL, URL Path: GET, Location: Query string, Parameter Value Type: User-input values, Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$

Hope it will work.

samir · Answer

Thank you so much for adding comments. can you please through some light on step 3

Forum Discussion

F5 ASM appears not blocking filetypes in http query

Recent Discussions

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Related Content

Filetype detected incorrectly in ASM because of dot in URL

Block IP after a number of ASM Blocks

Block traffic

Response and blocking page

domain blocking

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS