Forum Discussion

WScott_99092's avatar
WScott_99092
Icon for Nimbostratus rankNimbostratus
Mar 25, 2011

remove request content/body on ASM_REQUEST_VIOLATION

Hi,

 

 

Our goal is to allow the webapplications to serve up blocking pages (this is due to pages varying based on location within the same webapp).

 

 

The only way we've currently been able to manipulate the request appropriately is to place the WAF into passthrough mode and detect ASM violations.

 

 

As the request is passed through, the original request (which should have been blocked in the WAF was in blocking mode) is served to the underlying webapplications.

 

 

In order to limit security risks, we intend on cleansing the incoming request by removing headers, querystrings and submitted content.

 

 

The bellow iRule achieves most of this, but we have been unable to find a way to strip out the content/body of the incoming request.

 

 

Is there any way of stripping out this content?

 

 

 

Basic sanitizing iRule

 

 

when ASM_REQUEST_VIOLATION {

 

 

HTTP::header sanitize "host"

 

HTTP::header insert "ASM-VIOLATION-ID [lindex [ASM::violation_data] 1]"

 

HTTP::header replace "connection" "close"

 

 

 

HTTP::uri [HTTP::path]

 

 

}
application delivery
dev
devops
iRules

2 Replies

Sort By
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 25, 2011
    You should be able to replace the payload with nothing using ASM::payload:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__payload.html

     

    ASM::payload replace 0 [ASM::payload length] ""

     

     

    Also be aware that HTTP::header sanitize won't remove all headers--it leaves these:

     

     

    Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding

     

     

     

    HTTP::header sanitize [header name]+

     

     

    * Removes all headers except the ones you specify and the following: Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding.

     

    * Note that the Host header (required by HTTP/1.1) is removed unless explicitly specified.

     

    * This command can be used in the client-side or server-side context, depending on whether you want to sanitize request and/or response headers.

     

    * If you are using the command in the server-side context, you may want to consider adding Location to the list of retained headers if your application requires they be sent to clients.

     

    * If you are using the command in the client-side context, you may want to consider adding Cookie, Accept, and Accept-Encoding to the list of retained headers.

     

     

     

    Aaron
  • WScott_99092's avatar
    WScott_99092
    Icon for Nimbostratus rankNimbostratus
    Mar 28, 2011
    Thanks Aaron,

     

     

    I had tried HTTP::payload but that seemed to only be able to append stuff at the beginning of the request body/content. I had assumed ASM::payload was for manipulating the response data (which is seems to do in ASM_REQUEST_BLOCKING).

     

     

    I did have additional steps to remove some of the headers mentioned, but left it out to simplify the request.