Forum Discussion
aj_2511
Nimbostratus
NimbostratusParse POST parameters
Hi,
i'm trying to do Security iRules for my webmail application : iNotes.
This Webmail uses a lot of POST requests to send parameters. Using HTTP Analyzer, I can see that requests are as this :
-----------------------------7d81f87640cf4
Content-Disposition: form-data; name="%%ModDate"
-----------------------------7d81f87640cf4
Content-Disposition: form-data; name="%%PostCharset"
ISO-8859-1
-----------------------------7d81f87640cf4
Content-Disposition: form-data; name="h_SceneContext"
putAway['publishAction']&&&&&&putAway['publishFolderTitle']&&&&&&putAway['ME']&&&&&&putAway['publishFolderPageUnid']&&&&&&putAway['tocPosition']&&&&&&putAway['tmpText']&&&&&&putAway['selectedFolderIndex']&&&0&&&putAway['BSi']&&&&&&
-----------------------------7d81f87640cf4
Content-Disposition: form-data; name="h_EditAction"
h_Next
-----------------------------7d81f87640cf4
Content-Disposition: form-data; name="h_SetEditCurrentScene"
s_StdPageEdit
[...]
I'd like to be able to get each parameter to verify that there is no problem with size, specifics characters, ...
The iRule I'm using to do this :
rule Security-Limit_Parameters_Size-Rule {
when RULE_INIT {
set ::debug 1
set ::max_post_param_length 500
}
when HTTP_REQUEST {
switch [HTTP::method] {
"GET" {
}
"POST" {
HTTP::collect [HTTP::header Content-Length]
}
}
}
when HTTP_REQUEST_DATA {
set ::parametersList [split [HTTP::payload] "&"]
for {set ::i 0} {$::i < [llength $::parametersList]} {incr ::i} {
set ::parameter [split [lindex $::parametersList $::i] "="]
log local0. "Parameter : [lindex $::parameter 0]
if { [string length [lindex $::parameter 1]] > $::max_post_param_length } {
if { $::debug } {
log local0. "Triggered by IP : [IP::client_addr] with URI [HTTP::uri] and parameter length : [string length [lindex $::parameter 1]]"
}
reject
}
}
}
}
It seems that this iRules is not working since I can't see the complete lists of the parameters. Is there a way to do this on a content-type which is not "x-www-form-urlencoded" ?
Thanks for your help.
Regards,
-- Alexis
2 Replies
hoolioCirrostratus
Hi,
The first thing I notice is that you're using global variables to save the values. Global variables are shared across multiple connections which would cause trampling. You can change them to local variables by removing the ::. Second, if the client is sending un-encoded &'s in the parameter value, you won't be able to split the parameters based on the & as a delimiter. You might be able to split them if you parse the boundary from the Content-Type header and then break up the chunks of data to get just the parameter value. I would imagine it would be a complicate rule and take a lot of CPU and memory to perform the validation.
Even if you're able to parse the parameter values, I think you're going to have a hard time coming up with a comprehensive validation methodology using just iRules. You might consider F5's application firewall, ASM. With it, you can validate all the input a user sends in requests and the application's responses. This includes the request method, headers, query string and post data parameters and server responses. You get much more granular control if you need it, but can still set reasonable defaults. Also, the parsing and decoding is handled for you.
If you do continue with the iRule approach, reply if you run into more problems or make progress.
Aaron- hoolioThere is a length limit on the size of a message which can be sent to syslog, so that's probably why you're seeing the payload truncated when using the log command. You should be able to test the parameter parsing just using the first 100 bytes of the payload, anyhow. I'll see about testing some of the parameter parsing, but I'm not sure when exactly I'll have time.
Aaron
