For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jondyke_46152's avatar
jondyke_46152
Icon for Nimbostratus rankNimbostratus
Dec 16, 2008

Irule for restriciting URL paths unsecure

I currenlty use an irule that I use to restrict traffic to certain paths:-

 

 

when HTTP_REQUEST {

 

 

if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([matchclass [IP::client_addr] equals $::trustedAddresses])}{

 

 

log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"

 

 

discard

 

 

} else {

 

 

log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"

 

 

}

 

 

}

 

 

However I have just discovered that the paths I have in the data group appear to be case sensitive so \test\ as a restricted path can be circumvented by using \Test\. How do I get around this? I don't wish to add every possible path upper and lower case to the datagroup - I will be here until next Christmas!
application delivery
dev
devops
iRules

13 Replies

Show More
  • jondyke_46152's avatar
    jondyke_46152
    Icon for Nimbostratus rankNimbostratus
    Jan 06, 2009
    Thanks Colin - that works (is misssing a closing} though)

     

    Unfortunatley it does net get around the /// issue. If you put more than one slash before the path i.e. //resticted/ it lets you in....

     

    Not sure how to get round that one really.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jan 06, 2009
    You could always change the equals in the HTTP::path matchclass to a contains, as long as nothing that shouldn't be restricted contains the paths you're storing in your class. That should account for the //. It's not a precise workaround, but it should work.

     

     

    Colin
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 06, 2009
    I think it's a bit of a losing battle to try to handle all the encoding/obfuscation methods in an iRule...

     

     

    Here are a few examples of ways to encode a request for Microsoft's default page:

     

     

    original

     

    http://www.microsoft.com/en/us/default.aspx

     

     

    multiple forward slashes

     

    http://www.microsoft.com/en/us/////default.aspx

     

     

    multiple back slashes

     

    http://www.microsoft.com/en/us\\\default.aspx

     

     

    request containing a white listed string

     

    http://www.microsoft.com/en/us/white_listed_string/../default.aspx

     

     

    hex encoding of "default"

     

    http://www.microsoft.com/en/us/%64%65%66%61%75%6C%74.aspx

     

     

    hex encoded backslashes

     

    http://www.microsoft.com/en/us%5C%5C%5Cdefault.aspx

     

     

    Here is an interesting article describing these and other encoding methods:

     

     

    URL Embedded Attacks

     

    http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html

     

     

    Aaron