Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

JD_Tomzak's avatar
JD_Tomzak
Icon for Cirrus rankCirrus
3 years ago
Solved

Irule advice?

Hello, I'm seeking advice on using an Irule to drop a connection when a certain condition is met in the URI. fid= followed by non numeric charectors. fid=1234 would pass. fid=13d4 would drop. Thanks...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    3 years ago
    when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            reject
        }
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    3 years ago

    The following accounts for a POST request where the payload is URL encoded or XML:

    when HTTP_REQUEST { 
    if { [HTTP::method] eq "POST" } { 
        ## Trigger collection for up to 1MB of data 
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 }{ 
            set content_length [HTTP::header "Content-Length"] 
        } else { 
            set content_length 1048576 
        } 
        ## Check if $content_length is not set to 0 
        if { $content_length > 0 } { 
            HTTP::collect $content_length 
        } 
    } 
} 
when HTTP_REQUEST_DATA { 
    set fld ""
    if { [HTTP::payload] contains "fld=" } {
        foreach x [split [HTTP::payload] "&"] {
            if { $x starts_with "fld=" } {
                set fld [lindex [split $x "="] 1]
                continue
            }
        }
    } elseif { [HTTP::payload] contains "<fld>" } {
        set fld [findstr [HTTP::payload] "<fld>" 5 "</fld>"]
    }
    if { $fld ne "" } {
        if { ![string is digit $fld] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            HTTP::respond 400 content "Bad Request" "Content-Type" "text/html" "Connection" "close"
        }
    }
}
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
3 years ago

Takes a little more work to get the HTTP payload from a POST request, but logic is mostly the same:

#}
when HTTP_REQUEST { 
    if { [HTTP::method] eq "POST" } { 
        ## Trigger collection for up to 1MB of data 
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 }{ 
            set content_length [HTTP::header "Content-Length"] 
        } else { 
            set content_length 1048576 
        } 
        ## Check if $content_length is not set to 0 
        if { $content_length > 0 } { 
            HTTP::collect $content_length 
        } 
    } 
} 
when HTTP_REQUEST_DATA { 
    if { [HTTP::payload] contains "fld=" } {
        foreach x [split [HTTP::payload] "&"] {
            if { $x starts_with "fld=" } {
                if { ![string is digit [lindex [split $x "="] 1]] } {
                    log local0. "invalid fld value, rejecting from [IP::client_addr]"
                    HTTP::respond 400 content "Bad Request" "Content-Type" "text/html" "Connection" "close"
                }
            }
        }
    }
}
  • JD_Tomzak's avatar
    JD_Tomzak
    Icon for Cirrus rankCirrus
    3 years ago

    Well the good news is most of this was already in place so it is working. Thanks!

     

    The only thing missing is when they send it to me in XML sometimes instead of a key/value pair.

    Not sure how often that comes up. But its not "fid =" in this case.

    its <fid>1234a</fid><pw>test123</pw>

     

    Thoughts?