Matching ASCII codes %00 - %1f in HTTP::uri

Question

According to: http://www.w3schools.com/tags/ref_urlencode.asp&nbsp;"The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL."&nbsp;A vendor software has a bug that actually interprets %00-%1f and does some fateful things on the system as a result. I have the vendor software behind the LTM, and want to close the TCP connection for all URLs with these ASCII codes, particularly "%00".&nbsp;What is the best approach to do this? I tried the below block of code, but the request with "%00" in the URI is not being caught in the IF statement.&nbsp;when HTTP_REQUEST {
    if { [HTTP::uri] contains "%00" }{
        HTTP::close
        TCP::close
    }
}

steven_filisko_ · Answer

I am not an expert-level iRuler at this point (yet), so someone may have a better, more direct answer, but... I would  add the "log" lines below.  The output will show in the "Local Traffic" log (or /var/log/ltm on the F5 itself).  It will give you a better idea of what is going on.
I did find a package that is supposed to "test iRules" but it isn't quite very intuitive (from what I have seen so far).
when HTTP_REQUEST {
    log local0. "Checking URI: [HTTP::uri]"
    if { [HTTP::uri] contains "%00" } {
        log local0. "Illegal URI: Closing Connection."
        HTTP::close
        TCP::close
    }
}

steven_filisko_ · Answer

And actually, if you wanted to trap ALL of the control characters from %00 to %1f...
Note that %1, %2, etc would pass through unmatched as the regex is looking for percent, followed by single digit 0 or 1, followed by single digit 0 through 9 or a though f or A through F.
when HTTP_REQUEST {
    log local0. "Checking URI: [HTTP::uri]"
    if { [regexp {%[0-1][0-9a-fA-F]} [HTTP::uri]] } {
        log local0. "Illegal URI: Closing Connection."
        HTTP::close
        TCP::close
    }
}

russell_e_glaue · Answer

The browser was stripping the ASCII device control characters in URLs I tested after the first request. Then loading from browser cache after that. No way to force with shift-reload when that happens. The code worked every time when using curl or wget to test the offensive URLs.&nbsp;

Forum Discussion

Matching ASCII codes %00 - %1f in HTTP::uri

3 Replies

Tyler - May 2026 Featured Member

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

Need BIG-IP VE Lab License for Personal Study/Learning

Creating a GTM Pool error

LTM+GTM at same box

Configuring iQuery for GTM / DNS

AWAF Detection Inconsistency Between Similar Test Payloads