For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RichardDumag's avatar
RichardDumag
Icon for Nimbostratus rankNimbostratus
Aug 16, 2021
Solved

iRules for 403 forbidden error

Is it possible to create an iRule to remove a specific post request header information to avoid the 403 forbidden error that is generated from an Oracle Apex application?

For example the Origin information below triggers a 403 forbidden message when accessing the application using Edge, Chrome, or FireFox.

I would like to create an iRule to remove the Origin information from the header.

Thanks!

----------------------------------------------------------------------------------------------------------------------------------------------------

POST /apex_extprd/wwv_flow.ajax HTTP/1.1

Host: www.testapp.com

Connection: keep-alive

Content-Length: 224

sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"

Accept: */*

X-Requested-With: XMLHttpRequest

sec-ch-ua-mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: https://www.testapp.com

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://www.testapp.com/apex_extprd/f?p=119:1::::::

Accept-Language: en-US,en;q=0.9

Cookie: ORA_WWV_APP_119=ORA_WWV-ubwLNBy7vUJxSlt4gD_tmjmL

X-Forwarded-For: 192.168.1.101

application delivery
ASM Advanced WAF
LTM
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Aug 17, 2021

    Hi RichardDumag,

    You can customize http profile for erase a request header.

    Local Traffic  ››  Profiles : Services : HTTP ›› http-profile ››  Request Header Erase

    Request Header Erase: Indicates the name of an HTTP request header that the BIG-IP system removes from the client request. Only one header can be removed per pool, unless you are using LTM Policies or iRules.

    iRule:

    when HTTP_REQUEST {
	HTTP::header remove "Origin"
}

    uri based:

    when HTTP_REQUEST {
	if { [string tolower [HTTP::uri]] equals "/apex_extprd/wwv_flow.ajax" } {
		HTTP::header remove "Origin"
	}
}

2 Replies

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Aug 17, 2021

    Hi RichardDumag,

    You can customize http profile for erase a request header.

    Local Traffic  ››  Profiles : Services : HTTP ›› http-profile ››  Request Header Erase

    Request Header Erase: Indicates the name of an HTTP request header that the BIG-IP system removes from the client request. Only one header can be removed per pool, unless you are using LTM Policies or iRules.

    iRule:

    when HTTP_REQUEST {
	HTTP::header remove "Origin"
}

    uri based:

    when HTTP_REQUEST {
	if { [string tolower [HTTP::uri]] equals "/apex_extprd/wwv_flow.ajax" } {
		HTTP::header remove "Origin"
	}
}
  • RichardDumag's avatar
    RichardDumag
    Icon for Nimbostratus rankNimbostratus
    Aug 17, 2021

    Hi Enes. Thank you for the quick response and information. The request header erase seem to have resolved our issue.

     

    Richard