For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Bartnick_'s avatar
Chris_Bartnick_
Icon for Nimbostratus rankNimbostratus
Apr 21, 2009

Irule for blocking http smuggling

Hello,

 

Would anyone have an Irule config or template that can block "HTTP request smuggling" or HRS...or possibly forward me if the direction to create one for an ltm running 9x code?

 

 

thanks
application delivery
dev
devops
iRules

3 Replies

  • CharlesCS's avatar
    CharlesCS
    Icon for Cirrus rankCirrus
    Apr 23, 2009
    Is this approach valid for versions prior to 9.4.0? The HTTP_header page in the wiki implies that multiple instances of a named header only get counted more than once in 9.4.0 and above.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 24, 2009
    Sorry, I didn't realize the HTTP::header count behavior changed in 9.4.0. I thought it worked as expected in older versions. Can you try testing this to check if it doesn't return 2 for two of the same headers?

     

     

    You can use curl to send a request with two header names:

     

     

    $ curl -v -H "Header1: value1" -H "Header1: value2" google.com

     

    * About to connect() to google.com port 80 (0)

     

    * Trying 74.125.67.100... connected

     

    * Connected to google.com (74.125.67.100) port 80 (0)

     

    > GET / HTTP/1.1

     

    > User-Agent: curl/7.16.3 (i686-pc-cygwin) libcurl/7.16.3 OpenSSL/0.9.8k zlib/1.2.3 libssh2/0.15-CVS

     

    > Host: google.com

     

    > Accept: */*

     

    > Header1: value1

     

    > Header1: value2

     

     

    You could also use a Firefox browser plugin like TamperData to test this.

     

     

    Aaron