Forum Discussion

Eran_Barzilay_3's avatar
Eran_Barzilay_3
Icon for Nimbostratus rankNimbostratus
Jul 04, 2017

How to add or remove allowed parameters during runtime

Hi. I'm working on a solution for a 'forgot my password' scenario, in which my server generates a temporary URL (url with a hash parameter, valid for X hours) and sends it to the clients. I want to the ASM to allow the temporary URL (or hash parameter) only as long as it is valid, and block the same URL with invalid parameters. Is there a way to add or remove allowed parameters to a URL during runtime? Is there a way to do this using an API (java / REST / other)?

 

Thanks, Eran

 

ASM Advanced WAF
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 04, 2017

    Hi,

    you can manage it with an irule (store 302 redirect URL parameter in a table) and raise a ASM user-defined violation if the URL is not in table. (not tested)

    when HTTP_RESPONSE {
    if {[HTTP::status] equals 302 && [set id [URI::query [HTTP::header Location] myparameter]] ne ""} {
        table set -subtable resetPassword $myparameter 0 7200
    }
    unest id
}

when HTTP_REQUEST {
    set reqBlock 0
    if {([HTTP::path] equals "/reset/url") && ([set id [URI::query [HTTP::uri] myparameter]] ne "") && !([table lookup -subtable resetPassword $id])} {
        set reqBlock 1
    }
    unset id
}

when ASM_REQUEST_DONE {
     Block not allowed request with ASM if enabled. Raise ASM user defined violation FILTER_IRULE_VIOLATION
    if {$reqBlock} {
        set violation_details [list [list Reason iRule_Event]]
        lappend violation_details [list Filter Denied_URL]
        ASM::raise FILTER_IRULE_VIOLATION $violation_details
    }
}