Forum Discussion

quangtran's avatar
quangtran
Icon for Cirrus rankCirrus
Jun 04, 2023

irule reject request when payload field is null

Hello everyone,

I have the following case, when there is a request to my url: https://10.10.10.10/aaa/v1/xx/test/okokokok, 

the payload will have to have the fields test, test1, test2, test3. Attackers convert these fields to null or void causing the server to overload. I wrote an irule to reject requests when its fields are null or there are no these fields in the payload, but it doesn't work, still getting a response from the server. Where am I doing wrong, help me!

my irule:

when HTTP_REQUEST {
if { [HTTP::uri] starts_with "https://10.10.10.10/aaa/v1/xx/test/okokokok" } {
set requestBody [HTTP::payload]

if { [string length $requestBody] > 0 } {

if { ![string match {*"test"*} $requestBody] || ![string match {*"test1"*} $requestBody] || ![string match {*"test2"*} $requestBody] || ![string match {*"test3"*} $requestBody] ||
![string match {*"test":*} $requestBody] || ![string match {*"test1":*} $requestBody] || ![string match {*"test2":*} $requestBody] || ![string match {*"test3":*} $requestBody] ||
[string match {*"test":""*} $requestBody] || [string match {*"test1":""*} $requestBody] || [string match {*"test2":""*} $requestBody] || [string match {*"test3":""*} $requestBody] } {

HTTP::respond 403 content "Invalid request payload."
log local0. "Rejected request with missing or empty fields."
reject
}
}
}

}

request attack:

POST /aaa/v1/xx/test/okokokok HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Postman-Token: adfdfdf-6b7b-4055-99ff-dfđffdfdfdfd
Host: 10.10.10.10
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 193

{"test":"12345A","test1":"abc-aadrrgd","test2":"","test3":""}



OR
POST /aaa/v1/xx/test/okokokok HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Postman-Token: adfdfdf-6b7b-4055-99ff-dfđffdfdfdfd
Host: 10.10.10.10
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 193

{"test":"12345A","test1":"abc-aadrrgd","test3":""}