Forum Discussion
bjorg235
Altocumulus
Altocumulusirule to reject user defined headers
Hi ,
We have an issue after enabled X-forwarded-for in f5. Dev found a vulnerability thats users allowed able to put code injection by manipulating http headers.May I know if there is any irule to avoid header manipulation. The vulnerability issues are yet to come. i am guessing it could be Clickjacking issues
Any help would be appreciated.
Yoann_Le_Corvi1Cumulonimbus
Hi
Understood. So the iRule I send should do the trick. You could also do the same thing with an LTM Policy if you prefer.
With this iRule :
- Any header received on the public part is removed
- F5 takes the Client IP address, and inserts the X-Forwarded-For header himself (hence the client cannot manipulate the values, and send injections...)
The if the external users goes through a proxy, of course, the client IP address will be the proxy IP, not the real client IP behind the proxy. Is that enough ?
If not, then you will need to allow the header and check it's value...
Yoann
- Yoann_Le_Corvi1
Hi,
If this helped, can you please mark it as answer ?
Thanks
- Yoann_Le_Corvi1
Hi
So if I understand correctly, you enable "Instert X-Forwarded-For" in the HTTP profile assigned to your VS, and you do not want the external users to be able to manipulate this header. Please correct me if not.
If this is the case, then you can just delete the X-Forwarded-For header received from the clients, and let F5 add the heder with the HTTP profile
when HTTP_REQUEST { HTTP::header remove X-Forwarded-For }The side effect of this is that you may not get the client real IP address.
Yoann
bjorg235Hi Yoann,
As per our design, we need to use SNAT.We should also want client IP shown for audit. Hence we enabled this X-forwarded-for header via http profile very recently.After that , we are seeing this vulnerability of code injection in the headers.