Forum Discussion
jondyke_46152
Nimbostratus
NimbostratusIrule for restriciting URL paths unsecure
I currenlty use an irule that I use to restrict traffic to certain paths:-
when HTTP_REQUEST {
if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([matchclass [IP::client_addr] equals $::trustedAddresses])}{
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
discard
} else {
log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"
}
}
However I have just discovered that the paths I have in the data group appear to be case sensitive so \test\ as a restricted path can be circumvented by using \Test\. How do I get around this? I don't wish to add every possible path upper and lower case to the datagroup - I will be here until next Christmas!
13 Replies
hoolioCirrostratus
If you add the datagroup items in lower case, you can set the request to lower case before using matchclass to test the URI. Also, it would be more efficient to use HTTP::path versus HTTP::uri assuming you're not looking for the query string in the URI.when HTTP_REQUEST { if {[matchclass [string tolower [HTTP::path]]...
If you're doing this for security, you might want to consider the different ways malicious users could try to obfuscate the path. The simplest way to bypass your logic might be to prepend an extra forward slash. I think most versions of IIS will accept this. For example this request to MS's main page works: http://www.microsoft.com//////////en/us/default.aspx. There are quite a few different encoding methods that would also be parsed as valid requests by the web server.
Hopefully you're performing authentication/authorization on the application as well.
Aaron
jondyke_46152Thanks for that- jondyke_46152What about if in the securepaths datagroup I just put the name of the service....
i.e. test.svc - jondyke_46152Does anybody know if there is any way you can use wild cards with datagroup paths?
If I used the following irule would it be possible to somehow add some form of wild card to the KnownGoodPaths datagroup?
when HTTP_REQUEST
{
if {not ([matchclass [HTTP::uri] starts_with $::KnownGoodPaths]) }
{
log local0. "Dodgy URL ([HTTP::uri]) being used"
discard
}
else
{
if { ([matchclass [HTTP::uri] starts_with $::securePaths]) }
{
if { not ([matchclass [IP::client_addr] equals $::trustedAddresses])}
{
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
discard
}
else
{
log local0. "Allowing connection from [IP::client_addr] to secure [HTTP::uri]"
}
}
else
{
log local0. "Allowing connection from [IP::client_addr] to insecure [HTTP::uri]"
}
}
} - hoolioUsing a white would be a better method.
I don't think you can use wildcards in a datagroup with matchclass or findclass. You'd need to loop through each datagroup element and use string match. Check this post on this for details/examples:
Wildcard in datagroup (Click here)
Aaron - jondyke_46152Thats looks an option but does not look like a particularly stright forward one to put together.
Adding the string tolower sorts out any case type issues but obviously it does not sort the ///// issues which is where it falls down from a security perspective. Is there a way I could write some logic so that if it see's multiple slashes it replaces it with just one? Perhaps some sort of URI rewrite before the matchlass rule? - hoolioYou could use regsub to handle multiple slashes (regsub -all /+ [HTTP::uri] result), but there are quite a few other techniques attackers could use to obfuscate the URI to bypass any blacklist.
Another example is using backslashes instead of forward slashes. IE and IIS accept this. Attackers can also break up the URI using periods for current directory and previous directory:
http://www.microsoft.com/en/us/../us/default.aspx and http://www.microsoft.com/en/us/./default.aspx for http://www.microsoft.com/en/us/default.aspx
There are also different ways to encode the characters in the URI. Here is a PDF I found which describes these and other obfuscation methods (Click here)
Trying to handle every attack method in an iRule is going to be a losing battle. If you're able to use a whitelist you'd be in a much better position.
Aaron - jondyke_46152Aplogies for sounding a bit dim here but what do you class as a whitelist?
I thought the irule we are using is already a whitelist in that it only allows access to Ip addresses contained in the data group for the URI specified in the other data group. - jondyke_46152I think I tried a whitelist version of this rule before but it did not work. I think it looked something like this.
when HTTP_REQUEST {
if {([matchclass [string tolower [HTTP::path]] starts_with $::rpsecurePaths]) and ([matchclass [IP::client_addr] equals $::rptrustedAddresses])}{
log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"
} else {
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
discard
}
}
I think my logic may be a bit screwy....
The logic for this is very confusing.
How do you get
Allow access if A and B
Deny access if A and not B
Do nothing to traffic is not A
By adding the second line you are using a black list again..... - jondyke_46152I am now told by one of our developers that the way to write this would be :-
If URI is in list
If IP Address is in list
allow
else
discard
Else Allow
Seems logical but I am really struggling with my syntax on this one as it has an If/Else Statement within and If/Else Statement.
Any tips here would be very much appreciated.
