abhinay
Dec 21, 2022Nimbostratus
Request for providing help on setting up an iRule
Hi All, Can you please let me know how can I accomplish the below requirement with an iRule. Any requests that use any method and have "cs.exe" or "llisapi.dll" in the URI and also have a query str...
- Dec 22, 2022
abhinay please share how you test in postman.
I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
This is what rules I am using:when HTTP_REQUEST {
if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
}
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::method] equals "POST" }{
# Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
set http_request_body "?[HTTP::payload]"
log local0. "http payload: $http_request_body"
# Try to parse type value from the HTTP request body.
if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
} }
}if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"
if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}or use URI::decode :
if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}and if it is a form-data:
set varB [findstr [HTTP::payload] "fInArgs"]
if { $varB contains "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
} - Dec 27, 2022
I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".
Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this.
Otherwise, I'd expect it to work -- it does in my lab.