Forum Discussion

bjorg235's avatar
bjorg235
Icon for Altocumulus rankAltocumulus
Jan 03, 2020

irule to reject user defined headers

Hi ,   We have an issue after enabled X-forwarded-for in f5. Dev found a vulnerability thats users allowed able to put code injection by manipulating http headers.May I know if there is any irul...
application delivery
BIG-IP
iRules
security
Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus

Hi

So if I understand correctly, you enable "Instert X-Forwarded-For" in the HTTP profile assigned to your VS, and you do not want the external users to be able to manipulate this header. Please correct me if not.

If this is the case, then you can just delete the X-Forwarded-For header received from the clients, and let F5 add the heder with the HTTP profile

when HTTP_REQUEST {
    HTTP::header remove X-Forwarded-For
}

The side effect of this is that you may not get the client real IP address.

Yoann

bjorg235's avatar
bjorg235
Icon for Altocumulus rankAltocumulus
Jan 03, 2020

Hi Yoann,

 

As per our design, we need to use SNAT.We should also want client IP shown for audit. Hence we enabled this X-forwarded-for header via http profile very recently.After that , we are seeing this vulnerability of code injection in the headers.