Forum Discussion

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
3 years ago
Solved

Request for providing help on setting up an iRule

Hi All, Can you please let me know how can I accomplish the below requirement with an iRule. Any requests that use any method and have "cs.exe" or "llisapi.dll" in the URI and also have a query str...
application delivery
security
  • mihaic's avatar
    mihaic
    3 years ago

    abhinay  please share how you test in postman. 
    I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
    This is what rules I am using:

    when HTTP_REQUEST { 
          if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
              HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
              log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
             }
          if {[HTTP::method] eq "POST"}{
           # Trigger collection for up to 1MB of data
              if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
                 set content_length [HTTP::header "Content-Length"]
               } else {
                 set content_length 1048576
    }
    # Check if $content_length is not set to 0
             if { $content_length > 0} {
               HTTP::collect $content_length
    }
    }
    }
    when HTTP_REQUEST_DATA {

       if { [HTTP::method] equals "POST" }{
    # Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings) 
          set http_request_body "?[HTTP::payload]"
          log local0. "http payload: $http_request_body"
    # Try to parse type value from the HTTP request body.
           if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
                HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    } } 
    }

    if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"

    if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    }

    or use URI::decode :

    if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    }

     and if it is a form-data:

    set varB [findstr [HTTP::payload] "fInArgs"]
    if { $varB contains "%3D%23" } {
        HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
        }

     

  • CA_Valli's avatar
    CA_Valli
    3 years ago

    I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".

    Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this. 

    Otherwise, I'd expect it to work -- it does in my lab. 

mihaic's avatar
mihaic
Icon for MVP rankMVP
3 years ago

can you provide what HTTP payload looks like? 

As far as I understand you need to look for some variable and its value in the HTTP payload.

  • abhinay's avatar
    abhinay
    Icon for Nimbostratus rankNimbostratus
    3 years ago

    yes mihaic, the variable I am looking at is "fInArgs" that contains the string "%3D%23"

    Tried your iRule below but this is not working in the HTTP payload