How to bypass (header Referer) from policies controls

Thanks for your answers.

 

 

I wrote an IRule which sanitize the Referer, only for requests wich come from other previous websites, only if domain host request is different than referer domain host.

 

 

With this type of sanitiez system, my application mechanismes are not impacted.

 

 

This is my IRule for communauty if it can helps someone...

 

 

Thanks for all !

 

 

when HTTP_REQUEST {

 

if { [HTTP::header exists "Referer"] } {

 

 

Init

 

set sep "/"

 

set sep2 ":"

 

 

Referer

 

set received_referer [HTTP::header "Referer"]

 

set received_referer_splited [split $received_referer $sep]

 

set received_referer_domain [lindex $received_referer_splited 2]

 

set received_referer_domain_splited [split $received_referer_domain $sep2]

 

set received_referer_domain_splited_without_port [lindex $received_referer_domain_splited 0]

 

 

Domain

 

set requested_host_domain [HTTP::host]

 

set requested_host_domain_splited [split $requested_host_domain $sep2]

 

set requested_host_domain_splited_without_port [lindex $requested_host_domain_splited 0]

 

 

Compare if it is an external from

 

if { [string compare -nocase $received_referer_domain_splited_without_port $requested_host_domain_splited_without_port] != 0 } {

 

Differents -> Sanitize requested

 

set sanitized_referer [lindex $received_referer_splited 0]$sep[lindex $received_referer_splited 1]$sep[lindex $received_referer_splited 2]$sep

 

HTTP::header replace "Referer" $sanitized_referer

 

log "Different ($received_referer_domain_splited_without_port<>$requested_host_domain_splited_without_port) >> Referer updated($received_referer->$sanitized_referer)"

 

} else {

 

OK

 

log "Equivalent($received_referer_domain_splited_without_port==$requested_host_domain_splited_without_port) >> Referer as is ($received_referer)"

 

}

 

}

 

}