For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

totengraber_937's avatar
totengraber_937
Icon for Nimbostratus rankNimbostratus
Dec 13, 2007

Help Replacing characters in URI(URL?)

Okay, I've tried to do this on my own, but have gotten no where.

 

 

It has been discovered that our web application is vulnerable to Cross-Site Scripting based on tests from ScanAlert.

 

 

I have looked into ASM, but the company is reluctant to spend the money on new hardware since our current hardware won't run the ASM.

 

 

What I would like to do is replace <,>,(,) in the URI(URL)to their proper HTML equivalents. I have yet to get any iRule to even come close to doing this.

 

 

I would appreciate anyone's help if they have some pointers to help me on my way.

 

 

Thanks,

 

Todd
application delivery
dev
devops
iRules

1 Reply

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Dec 13, 2007
    What do you mean by "HTML equivalent"? Do you mean HTTP encoded, or HTML encoded. The two are different.

    URL encoding: "<" -> "%3c"

    HTML Encoding: "<" -> "& lt;"

    If it is the URL encoding you want, you can easily do so with the URI::encode iRule command

    when HTTP_REQUEST {
  HTTP::uri [URI::encode [HTTP::uri]]
}

    This will turn "/foobar(foo)" into "%2ffoo%3cbar%3ebar(foo)"

    If you want to do HTML encoding, then you'll have to do a manual string map of what you want to convert.

    when HTTP_REQUEST {
  HTTP::uri [string map { "<" "<" ">" ">" } [HTTP::uri]]
}

    This will convert "/foobar(foo)" into "/foobar(foo)"

    As far as I know there is not a URI or HTML encoded value for parenthesis but you can extend the last iRule above to whatever translation you want.

    Hope this helps...

    -Joe