Forum Discussion

Jonathan_c's avatar
Jonathan_c
Icon for Cirrus rankCirrus
Nov 07, 2022

Help with ASM URL wildcard syntax

Hi, I need to create a URL whitelist for a directory structure such as this: /constant-name/constant-name/any-name/any-name/.../.../*.css /constant-name/constant-name/any-name/any-name/.../.../*.p...
application delivery
asm
BIG-IP
security
url syntax
wildcard
Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Nov 07, 2022

Hi Jonathan_c , 

Try this : 
      /constant-name/constant-nam/*.css
     /constant-name/constant-name/*.xml

    /constant-name/constant-name/*.pdf 
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types. 

Also refer to these KBs : 
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.html

and this as well : 
https://support.f5.com/csp/article/K8623

it will help you much for correct syntax. 
hope this help you. 
Thanks

 

  • Jonathan_c's avatar
    Jonathan_c
    Icon for Cirrus rankCirrus
    Nov 07, 2022

    Hi Mohamed,

    Thanks for your suggestions.

    Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:

    /folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css

    if i'll add the URL like you suggested, won't it also allow the above example?

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Nov 07, 2022

      Hi Jonathan_c , 
              well , 
       I thought that you want to create these URLs as allowed. 

      > My recomendation is : 
      Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.  
      choose if your application is  Http or https and  it should be like this : " *ping* " . 

      Or 

      you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy. 

      If you want to test the Cusom ping attack signature , I can do it and send the results to you. 
      or Check this KB :
       
      https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html


      I hope it work with you
      Ty 

      • Jonathan_c's avatar
        Jonathan_c
        Icon for Cirrus rankCirrus
        Nov 07, 2022

        Hi,

        I gave the PING as an example from a true case we had. but it could be any type of code.

        The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.

        So from the one hand, we need the wildcard there, for subfolders and file names. 

        From the other hand, the wildcard allows the code injection...