Hi,I need to create a URL whitelist for a directory structure such as this:/constant-name/constant-name/any-name/any-name/.../.../*.css/constant-name/constant-name/any-name/any-name/.../.../*.pdf/constant-name/constant-name/any-name/any-name/.../.../*.xmlSo, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be.How would I go about putting it in a the ASM syntax?Thanks

Hi Jonathan_c , well , I thought that you want to create these URLs as allowed. > My recomendation is : Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url. choose if your application is Http or https and it should be like this : " *ping* " . Or you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy. If you want to test the Cusom ping attack signature , I can do it and send the results to you. or Check this KB : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.htmlI hope it work with youTy

Hello Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ? Mohamed_Ahmed_Kansoh suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.

Hi Jonathan_c , Try this : /constant-name/constant-nam/*.css /constant-name/constant-name/*.xml /constant-name/constant-name/*.pdf - Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.- Also Make sure that you configure ( pdf , xml , css ) as allowed file types. Also refer to these KBs : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.htmland this as well : https://support.f5.com/csp/article/K8623it will help you much for correct syntax. hope this help you. Thanks

Jonathan_c well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all. or> you can add all of these suspected codes as a disallowed wildcard urls , like we did with" *ping* " , > Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings. Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ). > that was my opinion , I will do further tests in my test environment. If I get an optimal solution meets your needs , I will share it here directly. Thanks

Thanks Nikoolayy1 , I did not use positional parameters before , it is very useful option to use.

Help with ASM URL wildcard syntax

Jonathan_c
Cirrus
Nov 08, 2022
I also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.
for example, if I'll create a URL with positional parameters like this:
Won't it will still allow a code injection where the wildcard is (marked red)?
Also, does this wildcard accepect one path level or any number of subfolders?
Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.
Thank you Nikoolay and Mohamed for your inputs, they really helped me.
- Nikoolayy1
  MVP
  Nov 08, 2022
  Better read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.
  
  That is my opinion and the input I can provide.
Nikoolayy1
MVP
Nov 07, 2022
Hello Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?

Mohamed_Ahmed_Kansoh suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.
- Mohamed_Ahmed_Kansoh
  MVP
  Nov 07, 2022
  Thanks Nikoolayy1 ,
  I did not use positional parameters before , it is very useful option to use.
  - Nikoolayy1
    MVP
    Nov 07, 2022
    Yup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.
Mohamed_Ahmed_Kansoh
MVP
Nov 07, 2022
Hi Jonathan_c ,
Try this :
/constant-name/constant-nam/*.css
/constant-name/constant-name/*.xml
/constant-name/constant-name/*.pdf
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types.

Also refer to these KBs :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.html

and this as well :
https://support.f5.com/csp/article/K8623

it will help you much for correct syntax.
hope this help you.
Thanks
- Jonathan_c
  Cirrus
  Nov 07, 2022
  Hi Mohamed,
  Thanks for your suggestions.
  Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:
  /folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css
  if i'll add the URL like you suggested, won't it also allow the above example?
  - Mohamed_Ahmed_Kansoh
    MVP
    Nov 07, 2022
    Hi Jonathan_c ,
    well ,
    I thought that you want to create these URLs as allowed.
    
    > My recomendation is :
    Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
    choose if your application is Http or https and it should be like this : " *ping* " .
    
    Or
    you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
    
    If you want to test the Cusom ping attack signature , I can do it and send the results to you.
    or Check this KB :
    
    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
    
    I hope it work with you
    Ty

Forum Discussion

Help with ASM URL wildcard syntax

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Wildcard Parameter signature attack

syntax for simple http monitor

HTTP / HTTPS syntax Monitor check from CLI

iRule http host with wildcard domain

Wildcard SSL Certificate Deployment on F5 LTM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS