Forum Discussion

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
Dec 22, 2022

iRule for blocking specific traffic for HTTP POST

Hi Everyone, I need some help in setting up an iRule for below requirement.

Need to get 403 Forbidden for below

(method = POST) AND (URI contains /cs OR llisapi.dll) AND (body contains func=qds.) AND (body contains _REQUEST=SYNDICATION_REQUEST)

 

Below is the Postman body that I am testing

"body": {
"mode": "formdata",
"formdata": [
{
"key": "func",
"value": "qds.ObjAction",
"type": "default"
},
{
"key": "_REQUEST",
"value": "SYNDICATION_REQUEST",
"type": "default"
},
{
"key": "qdsRequest",
"value": "A<1,?,'objAction'='create2','subtype'=145,'versionFile_filename'='C:\\windows\\win.ini','func'='',\n'ParentID'=2004,'objType'=145,'name'='qds-createpoc.\ntxt','comment'='created','mimeType'='text/html','textfield'='foobar','CTT_ID'='2004','multiC\nlass'=0,'InheritRequired'=0,'CREATE_Required'=1,'CREATE_Edited'=0,'CREATE_CacheID'=0,'CREATE_Ver\nNum'=1,'versionFile_filelength'='5'>",
"type": "default"
}
]
},
 

Thank you

application delivery
security
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 24, 2022

    Hi abhinay,

    you may use the iRule below as a starting point...

     

    
when HTTP_REQUEST  {
	
	if { [HTTP::method] eq "POST" } then {
	
		switch -glob -- [string tolower [HTTP::path]] {
			"*/cs*" -
			"*llisapi.dll*" {
				if { [HTTP::header value "Content-Lenght"] == 0 } then {
					
					# Zero post data...					
					
				} elseif { ( [string is digit [HTTP::header value "Content-Lenght"]] == 1 )
					   and ( [HTTP::header value "Content-Lenght"] >= 0 )  
					   and ( [HTTP::header value "Content-Lenght"] <= 1048576 )  } then {
						   
					HTTP::collect [HTTP::header value "Content-Lenght"]	
					
				} else { [HTTP::header value "Transfer-Encoding"] eq "chunked" } then {
					
					# Someone may have used chunked tranfer encoding... :-(
					# lets hope we will find the signature on first chunk of received data.
					
					HTTP::collect 1	
					
				}
				
			}
			
		}
		
	}
}
when HTTP_REQUEST_DATA {
	
	# Format tolower, removing any tabs, spaces and line breaks before comparsion
	set cleaned_payload [string tolower [string map { "	" "" " " "" "\n" "" } [HTTP::payload]]]

	if { ( [string match {*"key":"_request"*} $cleaned_payload] ) 
	 and ( [string match {*"value":"syndication_request"*} $cleaned_payload]) } then {
		
		HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"

	}
	
	# Alternative if "key" is always preceding "value"
	#
	# if { [string match {*"key":"_request","value":"syndication_request"*} $string_map] } then {
		
	#	HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"
		
	# }

}

     

     Cheers, Kai