For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jondyke_46152's avatar
jondyke_46152
Icon for Nimbostratus rankNimbostratus
Dec 16, 2008

Irule for restriciting URL paths unsecure

I currenlty use an irule that I use to restrict traffic to certain paths:-     when HTTP_REQUEST {     if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([ma...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 06, 2009
I think it's a bit of a losing battle to try to handle all the encoding/obfuscation methods in an iRule...

 

 

Here are a few examples of ways to encode a request for Microsoft's default page:

 

 

original

 

http://www.microsoft.com/en/us/default.aspx

 

 

multiple forward slashes

 

http://www.microsoft.com/en/us/////default.aspx

 

 

multiple back slashes

 

http://www.microsoft.com/en/us\\\default.aspx

 

 

request containing a white listed string

 

http://www.microsoft.com/en/us/white_listed_string/../default.aspx

 

 

hex encoding of "default"

 

http://www.microsoft.com/en/us/%64%65%66%61%75%6C%74.aspx

 

 

hex encoded backslashes

 

http://www.microsoft.com/en/us%5C%5C%5Cdefault.aspx

 

 

Here is an interesting article describing these and other encoding methods:

 

 

URL Embedded Attacks

 

http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html

 

 

Aaron