Forum Discussion
Pierre_A__3689
Nimbostratus
NimbostratusPath traversal iRules
Hi all,
trying to implement iRules to deny path traversal, i have found 3 so far on but none seems to stop it. Here's the latest one,
when RULE_INIT {
set ::vDebug 1
}
when HTTP_REQUEST {
if { [HTTP::query] matches_regex {^.*=(\.\.|/)[[A-Za-z0-9./]*]*.*$} } {
if { $::vDebug } { log local0. "Triggered by IP [IP::client_addr] with URI [HTTP::uri]"
}
reject
}
}
And here the path i am trying to block
https://www.website.com/site/services/web-inf/%2e%2e%2e%2e%2e%2e%2e/boot.ini
i tried to add %2e in the matches_regex but didn't work, not sure if i added it at the right place, not very familiar with iRules... Anyone has an idea how to block this ?
Appreciate
Pierre.
1 Reply
hoolioCirrostratus
Hi Pierre,
f there isn't a ? in the URI to delimit the path from the query string, then you should use HTTP::path or HTTP::uri--not HTTP::query.
Trying to do full URI validation in an iRule is going to be a losing battle in my mind as there are a lot of different encoding methods and path traversal methods. If you want full validation including URL normalization I suggest considering a web app firewall and/or adding more validation to the application.
As a limited measure you could start with something like this:when HTTP_REQUEST { Fully decode the URI from: http://devcentral.f5.com/wiki/iRules.FullyDecodeURI.ashx set tmpUri [HTTP::uri] set uri [URI::decode $tmpUri] repeat decoding until the decoded version equals the previous value. while { $uri ne $tmpUri } { set tmpUri $uri set uri [URI::decode $tmpUri] } Check if the decoded URI has two consecutive dots if {[string match {*..*} $uri]}{ reject } }
Aaron
