For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
Dec 21, 2022
Solved

Request for providing help on setting up an iRule

Hi All, Can you please let me know how can I accomplish the below requirement with an iRule. Any requests that use any method and have "cs.exe" or "llisapi.dll" in the URI and also have a query str...
application delivery
security
  • mihaic's avatar
    mihaic
    Dec 22, 2022

    abhinay  please share how you test in postman. 
    I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
    This is what rules I am using:

    when HTTP_REQUEST { 
          if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
              HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
              log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
             }
          if {[HTTP::method] eq "POST"}{
           # Trigger collection for up to 1MB of data
              if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
                 set content_length [HTTP::header "Content-Length"]
               } else {
                 set content_length 1048576
    }
    # Check if $content_length is not set to 0
             if { $content_length > 0} {
               HTTP::collect $content_length
    }
    }
    }
    when HTTP_REQUEST_DATA {

       if { [HTTP::method] equals "POST" }{
    # Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings) 
          set http_request_body "?[HTTP::payload]"
          log local0. "http payload: $http_request_body"
    # Try to parse type value from the HTTP request body.
           if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
                HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    } } 
    }

    if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"

    if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    }

    or use URI::decode :

    if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
    }

     and if it is a form-data:

    set varB [findstr [HTTP::payload] "fInArgs"]
    if { $varB contains "%3D%23" } {
        HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache 
        }

     

  • CA_Valli's avatar
    CA_Valli
    Dec 27, 2022

    I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".

    Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this. 

    Otherwise, I'd expect it to work -- it does in my lab. 

mihaic's avatar
mihaic
Icon for MVP rankMVP
Dec 21, 2022

can you provide what HTTP payload looks like? 

As far as I understand you need to look for some variable and its value in the HTTP payload.

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
Dec 21, 2022

yes mihaic, the variable I am looking at is "fInArgs" that contains the string "%3D%23"

Tried your iRule below but this is not working in the HTTP payload