Forum Discussion
CirrusHelp with ASM URL wildcard syntax
Hi Jonathan_c ,
Try this :
/constant-name/constant-nam/*.css
/constant-name/constant-name/*.xml
/constant-name/constant-name/*.pdf
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types.
Also refer to these KBs :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.html
and this as well :
https://support.f5.com/csp/article/K8623
it will help you much for correct syntax.
hope this help you.
Thanks
CirrusHi Mohamed,
Thanks for your suggestions.
Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:
/folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css
if i'll add the URL like you suggested, won't it also allow the above example?
Hi Jonathan_c ,
well ,
I thought that you want to create these URLs as allowed.
> My recomendation is :
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
choose if your application is Http or https and it should be like this : " *ping* " .Or
you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
If you want to test the Cusom ping attack signature , I can do it and send the results to you.
or Check this KB :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
I hope it work with you
Ty- Jonathan_c
Hi,
I gave the PING as an example from a true case we had. but it could be any type of code.
The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.
So from the one hand, we need the wildcard there, for subfolders and file names.
From the other hand, the wildcard allows the code injection...
Jonathan_c
well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all.
or
> you can add all of these suspected codes as a disallowed wildcard urls , like we did with" *ping* " ,
> Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings.
Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ).
> that was my opinion , I will do further tests in my test environment.
If I get an optimal solution meets your needs , I will share it here directly.Thanks
