Forum Discussion

Nimbostratus

Sep 27, 2012

Regex in iRule

Im making a rule to catch bad code being in HTTP POST. for some reason we have some sites trying to do some sort of XSS attack, but posting URL strings in the POST and then they get a 500error. ...

Employee

Sep 27, 2012

Here's a rough example:


when HTTP_REQUEST {
if { [HTTP::method] equals "POST" } {
log local0. "query = [URI::decode [HTTP::query]]"

if { [string match -nocase {*<[a-zA-Z!]*} [URI::decode [HTTP::query]]] } {
log local0. "Gotcha!"
reject
}
}
}

In the above example I'm URI decoding the HTTP query in POST requests, which will catch URI encoding of the < character.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Regex in iRule

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

RegEx on Landing URI

Regex to irule

iRULE regsub error

owa iapp assign irule

regex in iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS