irule reject request when payload field is null
Hello everyone,
I have the following case, when there is a request to my url: https://10.10.10.10/aaa/v1/xx/test/okokokok,
the payload will have to have the fields test, test1, test2, test3. Attackers convert these fields to null or void causing the server to overload. I wrote an irule to reject requests when its fields are null or there are no these fields in the payload, but it doesn't work, still getting a response from the server. Where am I doing wrong, help me!
my irule:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "https://10.10.10.10/aaa/v1/xx/test/okokokok" } {
set requestBody [HTTP::payload]
if { [string length $requestBody] > 0 } {
if { ![string match {*"test"*} $requestBody] || ![string match {*"test1"*} $requestBody] || ![string match {*"test2"*} $requestBody] || ![string match {*"test3"*} $requestBody] ||
![string match {*"test":*} $requestBody] || ![string match {*"test1":*} $requestBody] || ![string match {*"test2":*} $requestBody] || ![string match {*"test3":*} $requestBody] ||
[string match {*"test":""*} $requestBody] || [string match {*"test1":""*} $requestBody] || [string match {*"test2":""*} $requestBody] || [string match {*"test3":""*} $requestBody] } {
HTTP::respond 403 content "Invalid request payload."
log local0. "Rejected request with missing or empty fields."
reject
}
}
}
}
request attack:
POST /aaa/v1/xx/test/okokokok HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Postman-Token: adfdfdf-6b7b-4055-99ff-dfđffdfdfdfd
Host: 10.10.10.10
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 193
{"test":"12345A","test1":"abc-aadrrgd","test2":"","test3":""}
OR
POST /aaa/v1/xx/test/okokokok HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Postman-Token: adfdfdf-6b7b-4055-99ff-dfđffdfdfdfd
Host: 10.10.10.10
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 193
{"test":"12345A","test1":"abc-aadrrgd","test3":""}
REFERENCE: "HTTP::uri" [https://clouddocs.f5.com/api/irules/HTTP__uri.htm]
The referenced iRules command is probably NOT returning "https://10.10.10.10 ..." but rather "/aaa/v1 ...". So try modifying the check so that it is instead:
if { [HTTP::uri] starts_with "/aaa/v1/xx/test/okokokok" }
and see if that solves the issue.
Hi quangtran ,
try to modify this line :if { [HTTP::uri] starts_with "https://10.10.10.10/aaa/v1/xx/test/okokokok" } {
to this line :
if { [HTTP::uri] starts_with "/aaa" } { or if { [HTTP::uri] contains "/aaa/v1/xx/test/okokokok" } {
I relied on the below article to write it :
https://clouddocs.f5.com/api/irules/HTTP__uri.htmlHope this helps you