For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

F5Hopper_28651's avatar
F5Hopper_28651
Icon for Nimbostratus rankNimbostratus
Sep 27, 2012

Regex in iRule

Im making a rule to catch bad code being in HTTP POST.

 

for some reason we have some sites trying to do some sort of XSS attack, but posting URL strings in the POST and then they get a 500error. Im trying to right a rule but cant get it sorted out.

 

 

when RULE_INIT {

 

set ::vDebug 1

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::query] matches_regex {<[a-zA-Z!]} } {

 

if { $::vDebug } {

 

log local0. "Triggered by IP [IP::client_addr] with URI [HTTP::uri]"

 

}

 

reject

 

}

 

}

 

 

Not sure if Im even in the right ballpark on this one, I just want to catch in HTTP POST, not every connection.

 

Please see below for possible samples:

 

"

 

"

 

"

 

Thanks

 

application delivery
dev
devops
iRules

9 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Sep 27, 2012
    If you're asking how do I detect POST, then the answer is: https://devcentral.f5.com/wiki/iRules.http__method.ashx

     

     

    See Sample Code links bellow for examples.

     

     

    Thanks,

     

    Mohamed.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 27, 2012
    Here's a rough example: 

    
when HTTP_REQUEST {
if { [HTTP::method] equals "POST" } {
log local0. "query = [URI::decode [HTTP::query]]"

if { [string match -nocase {*<[a-zA-Z!]*} [URI::decode [HTTP::query]]] } {
log local0. "Gotcha!"
reject
}
}
}

    In the above example I'm URI decoding the HTTP query in POST requests, which will catch URI encoding of the < character.

  • F5Hopper_28651's avatar
    F5Hopper_28651
    Icon for Nimbostratus rankNimbostratus
    Sep 27, 2012

    I just noticed that my samples didnt show in my main post. Im looking for samples in attached TXT file.

     

    Kevin, I tryied your rule, I changed the log to, log local0. "Gotcha![IP::client_addr] with URI [HTTP::uri]"

     

     

    Im not sure if its working or not... I get these in my log for EVENT

     

    Rule test-regex : query = Step=2

     

    Rule test-regex : query =

     

    Rule test-regex : query = Step=4

     

    Rule test-regex : query = Step=3

     

     

    No gotcha! or client_addr. what do you make of that?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 27, 2012
    Your queries don't appear to have any of the characters you're looking for. How are you testing/posting?
  • F5Hopper_28651's avatar
    F5Hopper_28651
    Icon for Nimbostratus rankNimbostratus
    Sep 27, 2012
    I had my DEV guys generate the Regex.... I dont know it at all... I do know that the website gets hit every 5-10min with bad HTTP POSTs that start with my samples.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 27, 2012
    I'm specifically asking how you're testing the iRule. You wouldn't be able to just send a greater-than sign in the URI without encoding it, and the "Step" examples don't contain any greater-than signs.

     

     

    In case you're just waiting for external requests with bad data, you can test locally with cURL:

     

     

    curl -v http://www.example.com?test=%3cscript%3e -d "test=1234"