For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
Dec 22, 2022

iRule for blocking specific traffic for HTTP POST

Hi Everyone, I need some help in setting up an iRule for below requirement.

Need to get 403 Forbidden for below

(method = POST) AND (URI contains /cs OR llisapi.dll) AND (body contains func=qds.) AND (body contains _REQUEST=SYNDICATION_REQUEST)

 

Below is the Postman body that I am testing

"body": {
"mode": "formdata",
"formdata": [
{
"key": "func",
"value": "qds.ObjAction",
"type": "default"
},
{
"key": "_REQUEST",
"value": "SYNDICATION_REQUEST",
"type": "default"
},
{
"key": "qdsRequest",
"value": "A<1,?,'objAction'='create2','subtype'=145,'versionFile_filename'='C:\\windows\\win.ini','func'='',\n'ParentID'=2004,'objType'=145,'name'='qds-createpoc.\ntxt','comment'='created','mimeType'='text/html','textfield'='foobar','CTT_ID'='2004','multiC\nlass'=0,'InheritRequired'=0,'CREATE_Required'=1,'CREATE_Edited'=0,'CREATE_CacheID'=0,'CREATE_Ver\nNum'=1,'versionFile_filelength'='5'>",
"type": "default"
}
]
},
 

Thank you

application delivery
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 24, 2022

    Hi abhinay,

    you may use the iRule below as a starting point...

     

    
when HTTP_REQUEST  {
	
	if { [HTTP::method] eq "POST" } then {
	
		switch -glob -- [string tolower [HTTP::path]] {
			"*/cs*" -
			"*llisapi.dll*" {
				if { [HTTP::header value "Content-Lenght"] == 0 } then {
					
					# Zero post data...					
					
				} elseif { ( [string is digit [HTTP::header value "Content-Lenght"]] == 1 )
					   and ( [HTTP::header value "Content-Lenght"] >= 0 )  
					   and ( [HTTP::header value "Content-Lenght"] <= 1048576 )  } then {
						   
					HTTP::collect [HTTP::header value "Content-Lenght"]	
					
				} else { [HTTP::header value "Transfer-Encoding"] eq "chunked" } then {
					
					# Someone may have used chunked tranfer encoding... :-(
					# lets hope we will find the signature on first chunk of received data.
					
					HTTP::collect 1	
					
				}
				
			}
			
		}
		
	}
}
when HTTP_REQUEST_DATA {
	
	# Format tolower, removing any tabs, spaces and line breaks before comparsion
	set cleaned_payload [string tolower [string map { "	" "" " " "" "\n" "" } [HTTP::payload]]]

	if { ( [string match {*"key":"_request"*} $cleaned_payload] ) 
	 and ( [string match {*"value":"syndication_request"*} $cleaned_payload]) } then {
		
		HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"

	}
	
	# Alternative if "key" is always preceding "value"
	#
	# if { [string match {*"key":"_request","value":"syndication_request"*} $string_map] } then {
		
	#	HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"
		
	# }

}

     

     Cheers, Kai