For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dick_Piccard_72's avatar
Dick_Piccard_72
Icon for Nimbostratus rankNimbostratus
May 22, 2009

iRule for screening form submission to script

Our security team believes that a particular application is so sensitive that we should let the submitted data reach the server only if it passes content-based screening. The idea would be to confirm that the fields and values submitted matched those that are valid (the form will not have any free-response -- text or textarea -- fields, only radio buttons, check-boxes, and selects). Valid input would be passed along intact to the intended server for the script to process; we haven't decided yet whether invalid input should result in immediate failure, or in pooling to a different pool, where the server would respond with an error page, on the off-chance that a human was at the other end.

 

 

This form is coded for method="POST" -- but knowing how to deal with method="GET" might also be useful, later.

 

 

Looking at the CodeShare iRule samples, I noticed "HTTP Payload Collection"; is this a sensible starting point? Is there a better starting point? Are there any particular pitfalls to be alert to as we start down this way?

 

 

Thanks in advance for all advice.
application delivery
dev
devops
iRules

1 Reply

  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 22, 2009
    This kind of thing is precisely what the ASM module is for (Click here).

     

     

    That said, yes you could use HTTP::collect, parse the payload for various different conditions (probably using regex), and accept or reject (or send to an error pool) the connections based upon what you find.

     

     

    Denny