Forum Discussion
iRule for blocking specific traffic for HTTP POST
Hi Everyone, I need some help in setting up an iRule for below requirement.
Need to get 403 Forbidden for below
(method = POST) AND (URI contains /cs OR llisapi.dll) AND (body contains func=qds.) AND (body contains _REQUEST=SYNDICATION_REQUEST)
Below is the Postman body that I am testing
"body": {
"mode": "formdata",
"formdata": [
{
"key": "func",
"value": "qds.ObjAction",
"type": "default"
},
{
"key": "_REQUEST",
"value": "SYNDICATION_REQUEST",
"type": "default"
},
{
"key": "qdsRequest",
"value": "A<1,?,'objAction'='create2','subtype'=145,'versionFile_filename'='C:\\windows\\win.ini','func'='',\n'ParentID'=2004,'objType'=145,'name'='qds-createpoc.\ntxt','comment'='created','mimeType'='text/html','textfield'='foobar','CTT_ID'='2004','multiC\nlass'=0,'InheritRequired'=0,'CREATE_Required'=1,'CREATE_Edited'=0,'CREATE_CacheID'=0,'CREATE_Ver\nNum'=1,'versionFile_filelength'='5'>",
"type": "default"
}
]
},
Thank you
Hi abhinay,
you may use the iRule below as a starting point...
when HTTP_REQUEST { if { [HTTP::method] eq "POST" } then { switch -glob -- [string tolower [HTTP::path]] { "*/cs*" - "*llisapi.dll*" { if { [HTTP::header value "Content-Lenght"] == 0 } then { # Zero post data... } elseif { ( [string is digit [HTTP::header value "Content-Lenght"]] == 1 ) and ( [HTTP::header value "Content-Lenght"] >= 0 ) and ( [HTTP::header value "Content-Lenght"] <= 1048576 ) } then { HTTP::collect [HTTP::header value "Content-Lenght"] } else { [HTTP::header value "Transfer-Encoding"] eq "chunked" } then { # Someone may have used chunked tranfer encoding... :-( # lets hope we will find the signature on first chunk of received data. HTTP::collect 1 } } } } } when HTTP_REQUEST_DATA { # Format tolower, removing any tabs, spaces and line breaks before comparsion set cleaned_payload [string tolower [string map { " " "" " " "" "\n" "" } [HTTP::payload]]] if { ( [string match {*"key":"_request"*} $cleaned_payload] ) and ( [string match {*"value":"syndication_request"*} $cleaned_payload]) } then { HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" } # Alternative if "key" is always preceding "value" # # if { [string match {*"key":"_request","value":"syndication_request"*} $string_map] } then { # HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" # } }
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com