Forum Discussion
Rodolphe_AUBINE
Nimbostratus
NimbostratusHow to bypass (header Referer) from policies controls
Hi,
Some clients come to our websites with an "Header : Referer" wich is rejected by several signatures from ASM.
How can I disable ASM checks on this specific Header ?
Is it possible with IRule ?
I try with an IRule which sanitize(or replace with origin domain) the Header : Referer, but some intern applicatives mechanism use Referer to control MVC page controls and replay....
Help...?
3 Replies
hoolioCirrostratus
Hi Rodolphe,
Unfortunately, ASM doesn't provide the ability to customize the policy enforcement by header name/value like you can with parameters. This would be a very useful feature as the Referer header often has many metacharacters I'd prefer not to allow for all headers and strings which match attack sigs that I wouldn't want to have to disable in the policy.
I've just ended up disabling any of the attack sigs which trigger false positives for the HTTP headers. I suppose you could try to do something clever with an iRule to sanitize the Referer header, but that might break the application.
You could open a case with F5 Support and ask them to consider adding a feature which would allow customization of the policy enforcement by header name.
Aaron
Rodolphe_AUBINEThanks for your answers.
I wrote an IRule which sanitize the Referer, only for requests wich come from other previous websites, only if domain host request is different than referer domain host.
With this type of sanitiez system, my application mechanismes are not impacted.
This is my IRule for communauty if it can helps someone...
Thanks for all !
when HTTP_REQUEST {
if { [HTTP::header exists "Referer"] } {
Init
set sep "/"
set sep2 ":"
Referer
set received_referer [HTTP::header "Referer"]
set received_referer_splited [split $received_referer $sep]
set received_referer_domain [lindex $received_referer_splited 2]
set received_referer_domain_splited [split $received_referer_domain $sep2]
set received_referer_domain_splited_without_port [lindex $received_referer_domain_splited 0]
Domain
set requested_host_domain [HTTP::host]
set requested_host_domain_splited [split $requested_host_domain $sep2]
set requested_host_domain_splited_without_port [lindex $requested_host_domain_splited 0]
Compare if it is an external from
if { [string compare -nocase $received_referer_domain_splited_without_port $requested_host_domain_splited_without_port] != 0 } {
Differents -> Sanitize requested
set sanitized_referer [lindex $received_referer_splited 0]$sep[lindex $received_referer_splited 1]$sep[lindex $received_referer_splited 2]$sep
HTTP::header replace "Referer" $sanitized_referer
log "Different ($received_referer_domain_splited_without_port<>$requested_host_domain_splited_without_port) >> Referer updated($received_referer->$sanitized_referer)"
} else {
OK
log "Equivalent($received_referer_domain_splited_without_port==$requested_host_domain_splited_without_port) >> Referer as is ($received_referer)"
}
}
}- hoolioHi Rodolphe,
You could probably simplify the iRule by using the domain command to parse the Referer header value:
http://devcentral.f5.com/wiki/default.aspx/iRules/domain
Aaron
