For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eran_Barzilay_3's avatar
Eran_Barzilay_3
Icon for Nimbostratus rankNimbostratus
Jul 04, 2017

How to add or remove allowed parameters during runtime

Hi. I'm working on a solution for a 'forgot my password' scenario, in which my server generates a temporary URL (url with a hash parameter, valid for X hours) and sends it to the clients. I want to...
ASM Advanced WAF
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jul 04, 2017

Hi,

you can manage it with an irule (store 302 redirect URL parameter in a table) and raise a ASM user-defined violation if the URL is not in table. (not tested)

when HTTP_RESPONSE {
    if {[HTTP::status] equals 302 && [set id [URI::query [HTTP::header Location] myparameter]] ne ""} {
        table set -subtable resetPassword $myparameter 0 7200
    }
    unest id
}

when HTTP_REQUEST {
    set reqBlock 0
    if {([HTTP::path] equals "/reset/url") && ([set id [URI::query [HTTP::uri] myparameter]] ne "") && !([table lookup -subtable resetPassword $id])} {
        set reqBlock 1
    }
    unset id
}

when ASM_REQUEST_DONE {
     Block not allowed request with ASM if enabled. Raise ASM user defined violation FILTER_IRULE_VIOLATION
    if {$reqBlock} {
        set violation_details [list [list Reason iRule_Event]]
        lappend violation_details [list Filter Denied_URL]
        ASM::raise FILTER_IRULE_VIOLATION $violation_details
    }
}