Forum Discussion

Pierre_A__3689's avatar
Pierre_A__3689
Icon for Nimbostratus rankNimbostratus
Nov 23, 2011

Path traversal iRules

Hi all,

 

 

trying to implement iRules to deny path traversal, i have found 3 so far on but none seems to stop it. Here's the latest one,

 

when RULE_INIT {

 

set ::vDebug 1

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::query] matches_regex {^.*=(\.\.|/)[[A-Za-z0-9./]*]*.*$} } {

 

 

if { $::vDebug } { log local0. "Triggered by IP [IP::client_addr] with URI [HTTP::uri]"

 

}

 

reject

 

}

 

}

 

 

And here the path i am trying to block

 

 

https://www.website.com/site/services/web-inf/%2e%2e%2e%2e%2e%2e%2e/boot.ini

 

 

i tried to add %2e in the matches_regex but didn't work, not sure if i added it at the right place, not very familiar with iRules... Anyone has an idea how to block this ?

 

 

Appreciate

 

 

Pierre.
  • Hi Pierre,

    f there isn't a ? in the URI to delimit the path from the query string, then you should use HTTP::path or HTTP::uri--not HTTP::query.

    Trying to do full URI validation in an iRule is going to be a losing battle in my mind as there are a lot of different encoding methods and path traversal methods. If you want full validation including URL normalization I suggest considering a web app firewall and/or adding more validation to the application.

    As a limited measure you could start with something like this:

    when HTTP_REQUEST {
    
     Fully decode the URI from:
     http://devcentral.f5.com/wiki/iRules.FullyDecodeURI.ashx
    set tmpUri [HTTP::uri]
    set uri [URI::decode $tmpUri]
    
     repeat decoding until the decoded version equals the previous value.
    while { $uri ne $tmpUri } {
    set tmpUri $uri
    set uri [URI::decode $tmpUri]
    }
     Check if the decoded URI has two consecutive dots
    if {[string match {*..*} $uri]}{
    reject
    }
    }
    

    Aaron