For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Bartnick_'s avatar
Chris_Bartnick_
Icon for Nimbostratus rankNimbostratus
Apr 21, 2009

Irule for blocking http smuggling

Hello,   Would anyone have an Irule config or template that can block "HTTP request smuggling" or HRS...or possibly forward me if the direction to create one for an ltm running 9x code?   ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 24, 2009
Sorry, I didn't realize the HTTP::header count behavior changed in 9.4.0. I thought it worked as expected in older versions. Can you try testing this to check if it doesn't return 2 for two of the same headers?

 

 

You can use curl to send a request with two header names:

 

 

$ curl -v -H "Header1: value1" -H "Header1: value2" google.com

 

* About to connect() to google.com port 80 (0)

 

* Trying 74.125.67.100... connected

 

* Connected to google.com (74.125.67.100) port 80 (0)

 

> GET / HTTP/1.1

 

> User-Agent: curl/7.16.3 (i686-pc-cygwin) libcurl/7.16.3 OpenSSL/0.9.8k zlib/1.2.3 libssh2/0.15-CVS

 

> Host: google.com

 

> Accept: */*

 

> Header1: value1

 

> Header1: value2

 

 

You could also use a Firefox browser plugin like TamperData to test this.

 

 

Aaron