CirrusHi,
I need to create a URL whitelist for a directory structure such as this:
/constant-name/constant-name/any-name/any-name/.../.../*.css
/constant-name/constant-name/any-name/any-name/.../.../*.pdf
/constant-name/constant-name/any-name/any-name/.../.../*.xml
So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be.
How would I go about putting it in a the ASM syntax?
Thanks
MVPHello Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?
Mohamed_Ahmed_Kansoh suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.
Thanks Nikoolayy1 ,
I did not use positional parameters before , it is very useful option to use.
MVPYup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.
Hi Jonathan_c ,
Try this :
/constant-name/constant-nam/*.css
/constant-name/constant-name/*.xml
/constant-name/constant-name/*.pdf
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types.
Also refer to these KBs :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.html
and this as well :
https://support.f5.com/csp/article/K8623
it will help you much for correct syntax.
hope this help you.
Thanks
CirrusHi Mohamed,
Thanks for your suggestions.
Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:
/folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css
if i'll add the URL like you suggested, won't it also allow the above example?
Hi Jonathan_c ,
well ,
I thought that you want to create these URLs as allowed.
> My recomendation is :
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
choose if your application is Http or https and it should be like this : " *ping* " .
Or
you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
If you want to test the Cusom ping attack signature , I can do it and send the results to you.
or Check this KB :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
I hope it work with you
Ty
CirrusI also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.
for example, if I'll create a URL with positional parameters like this:
Won't it will still allow a code injection where the wildcard is (marked red)?
Also, does this wildcard accepect one path level or any number of subfolders?
Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.
Thank you Nikoolay and Mohamed for your inputs, they really helped me.
MVPBetter read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.
That is my opinion and the input I can provide.
