Forum Discussion
Request for providing help on setting up an iRule
- Dec 22, 2022
abhinay please share how you test in postman.
I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
This is what rules I am using:when HTTP_REQUEST {
if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
}
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::method] equals "POST" }{
# Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
set http_request_body "?[HTTP::payload]"
log local0. "http payload: $http_request_body"
# Try to parse type value from the HTTP request body.
if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
} }
}if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"
if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}or use URI::decode :
if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}and if it is a form-data:
set varB [findstr [HTTP::payload] "fInArgs"]
if { $varB contains "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
} - Dec 27, 2022
I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".
Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this.
Otherwise, I'd expect it to work -- it does in my lab.
Hello abhinay ,
I've recently implemented a similar check on one of my customers. Try the following:
when HTTP_REQUEST {
if { [HTTP::uri] contains "cs.exe" || [HTTP::uri] contains "llisapi.dll" }{
if { [URI::decode [HTTP::query]] contains "flnArgs" }{
set value [findstr [URI::decode [HTTP::query] "flnArgs" 7 &]
if { $value contains "#=" }{
log local0. "violation detected: flnArgs=$value"
HTTP::respond 403 content "Forbidden"
} else {
# if URI does not contain parameter, I capture traffic (up to 1MB) and perform this check again on full payload
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else { set content_length 1048576 }
if { $content_length > 0} { HTTP::collect $content_length ; set checkpayload 1 }
}
}
}
when HTTP_REQUEST_DATA {
if { $checkpayload }{
set cleanpl [URI::decode [HTTP::payload]]
set value [findstr $cleanpl "flnArgs" 7 &]
if { $value contains "#=" }{
log local0. "violation detected: flnArgs=$value"
HTTP::respond 403 content "Forbidden"
}
}
}
Notice that I'm decoding URI so %3D%23 will be normalized to #= , this match is more effective IMO
- CA_ValliDec 21, 2022MVP
Oops, you're right - I've lost a couple parenthesis in the copy/paste, also #= should be inverted to =#
Sorry! Fixed below.when HTTP_REQUEST { if { [HTTP::uri] contains "cs.exe" || [HTTP::uri] contains "llisapi.dll" }{ if { [URI::decode [HTTP::query]] contains "flnArgs" }{ set value [findstr [URI::decode [HTTP::query]] "flnArgs" 7 &] if { $value contains "=#" }{ log local0. "violation detected: flnArgs=$value" HTTP::respond 403 content "Forbidden" } } else { # if URI does not contain parameter, I capture traffic (up to 1MB) and perform this check again on full payload if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0} { HTTP::collect $content_length ; set checkpayload 1 } } } } when HTTP_REQUEST_DATA { if { $checkpayload }{ set cleanpl [URI::decode [HTTP::payload]] set value [findstr $cleanpl "flnArgs" 7 &] if { $value contains "=#" }{ log local0. "violation detected: flnArgs=$value" HTTP::respond 403 content "Forbidden" } } }
seems to work in my lab
Dec 21 20:14:52 bigip info tmm6[11336]: Rule /Common/iRule_DC <HTTP_REQUEST>: violation detected: flnArgs===# Dec 21 20:14:55 bigip info tmm[11336]: Rule /Common/iRule_DC <HTTP_REQUEST_DATA>: violation detected: flnArgs===#
- CA_ValliDec 21, 2022MVP
one more little thing I just noticed from logs, you see I'm specifying "flnArgs=%3D%23" when making the request but $value is " ==# " -- that's because at line #5 and at line #24 I'm not escaping the first "=" match (before the %3D).
If you want to escape it, change 7 to 8 in said lines. Otherwise, it will ALSO match anything that contains "flnArgs=%23" since the first "=" character is the equivalent of %3D
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com