Forum Discussion
Help with ASM URL wildcard syntax
Hi Mohamed,
Thanks for your suggestions.
Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:
/folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css
if i'll add the URL like you suggested, won't it also allow the above example?
Hi Jonathan_c ,
well ,
I thought that you want to create these URLs as allowed.
> My recomendation is :
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
choose if your application is Http or https and it should be like this : " *ping* " .
Or
you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
If you want to test the Cusom ping attack signature , I can do it and send the results to you.
or Check this KB :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
I hope it work with you
Ty
- Jonathan_cNov 07, 2022Cirrus
Hi,
I gave the PING as an example from a true case we had. but it could be any type of code.
The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.
So from the one hand, we need the wildcard there, for subfolders and file names.
From the other hand, the wildcard allows the code injection...
- Nov 07, 2022
Jonathan_c
well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all.
or
> you can add all of these suspected codes as a disallowed wildcard urls , like we did with" *ping* " ,
> Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings.
Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ).
> that was my opinion , I will do further tests in my test environment.
If I get an optimal solution meets your needs , I will share it here directly.Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com