For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_c's avatar
Jonathan_c
Icon for Cirrus rankCirrus
Nov 07, 2022

Help with ASM URL wildcard syntax

Hi, I need to create a URL whitelist for a directory structure such as this: /constant-name/constant-name/any-name/any-name/.../.../*.css /constant-name/constant-name/any-name/any-name/.../.../*.p...
application delivery
asm
BIG-IP
security
url syntax
wildcard
Jonathan_c's avatar
Jonathan_c
Icon for Cirrus rankCirrus
Nov 08, 2022

I also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.

for example, if I'll create a URL with positional parameters like this:

Won't it will still allow a code injection where the wildcard is (marked red)?

Also, does this wildcard accepect one path level or any number of subfolders?

Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.

Thank you Nikoolay and Mohamed for your inputs, they really helped me.

 

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 08, 2022

Better read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.

 

That is my opinion and the input I can provide.