simple filter question of uri

Hi Max,

 

 

You can use HTTP::query (Click here) to retrieve the full query string. You can parse individual parameter values using 'URI::query [HTTP::uri] listall' (Click here) to retrieve the value of the listall parameter. You can use string map to remove the parameter name=parameter value string.

 

 

If you read up on these commands and still have questions, reply here with what you've tried and what you're seeing. Note that if the page which receives the requests accepts POST requests, an attacker could include the parameters in the post data. In that case, you'd need to collect the payload, inspect it and potentially rewrite it. To do this, you could use HTTP::collect (Click here) and HTTP::payload.

 

 

Aaron

One of your examples doesn't look right to me

 

 

http://testsite.com/test.aspx?listall=1?log=0

 

 

I have never seen a double query string before. Am I wrong?

 

 

CB

 

I'm guessing that's just a typo in the post. The query string delimiter should be a question mark and the parameter value / parameter name delimiter is the &.

 

 

Aaron

I figured as much but I wanted to be sure.

ex: http://testsite.com/test.aspx?pageid=13&nocache=1&list=11

 

to http://testsite.com/test.aspx?pageid=13

 

 

I need to do some type of remove or filter before the url hit the webserver, and thats only for users from outside ip:s (they should not be able to use nocache=1 and list=nn=)

 

 

I am using an redirect at the moment.

 

ex2

 

when HTTP_REQUEST {

 

if { [IP::addr [IP::remote_addr] equals 10.0.0.0/8] } {

 

}

 

else {

 

if { [string tolower [HTTP::uri]] contains "nocache=1"} {

 

HTTP::redirect "http://testsite.com/" }

 

}

 

if { [string tolower [HTTP::uri]] matches_regex {list*}} {

 

HTTP::redirect "http://testsite.com/" }

 

}

 

 

You could use something like this:

 

 

when HTTP_REQUEST {

 

Check if client is not in internal range

 

if {not ([IP::addr [IP::remote_addr] equals 10.0.0.0/8])} {

 

 

Check if nocache=1 or list parameter is set with any value

 

if {[URI::query [HTTP::uri] nocache] == 1 or [URI::query [HTTP::uri] list] ne ""}

 

 

Redirect client?

 

}

 

}

 

}

 

 

 

But you'd also need to consider a client using encoding methods to bypass the filters. If the server supports the various encoding methods, clients could use (any combination of): numeral 1, Unicode: %u0031 or %u31, URL encoding: %31, .

 

 

Aaron

Thanks for the response!

 

I want the customer to come to the url but without the nocache=1 and list=nn.

 

If customer type:

 

http://testsite.com/test.aspx?pageid=130&nocache=1&listall=11

 

The only url thats should go to the webserver is

 

http://testsite.com/test.aspx?pageid=130

 

How can the redirect look like ?

 

 

with best regards

 

Max

Hi Max,

You can rewrite the URI inline using a rule like this. It's untested, so try to add logging if you run into any issues. You may also want to add a check if you only need to look for the nocache and listall parameters in requests to specific paths. You could do this by adding a check for [string tolower [HTTP::path]] eq "/test.aspx".

 
 when HTTP_REQUEST { 
  
     Debug logging 
    log local0. "[IP::client_addr]:[TCP::client_port]: New [HTTP::method] request to [HTTP::uri]" 
  
     Check if client is not in internal range 
    if {not ([IP::addr [IP::remote_addr] equals 10.0.0.0/8])} { 
  
        Save copy of URI 
       set uri_tmp [HTTP::uri] 
  
        Check if URI contains nocache=1  
       if {[URI::query [HTTP::uri] nocache] == 1}{ 
  
           Save updated URI with nocache removed 
          set uri_tmp [string map {nocache=1 ""} [HTTP::uri]] 
       } 
        Check if list parameter is set with any value 
       if {[URI::query [HTTP::uri] list] ne ""}{ 
  
           Save updated URI without list parameter and value 
          set uri_tmp [string map [list "list=[URI::query [HTTP::uri] list]" ""] $uri_tmp] 
       } 
  
        Clean up any double delimiters from $uri_tmp and update the URI 
       HTTP::uri [string map {?& ? && &} $uri_tmp] 
    } 
 } 
 when HTTP_REQUEST priority 501 { 
  
     Debug logging 
    log local0. "[IP::client_addr]:[TCP::client_port]: Current URI: [HTTP::uri]" 
 } 
 

Aaron

it works like a dream, Thanks!

 

 

Best regards

 

max

I also need to have an list of URI:s that i wan't to block.

 

 

This is what I want to have, but I have problem with the syntax, and I would appreciate any help.

 

Check if URI contains something from the list in $::blockedurl

 

if {[URI::query [HTTP::uri] $::blockedurl }{

 

Save updated URI with $::blockedurl removed

 

set uri_tmp [string map {$::blockedurl ""} [HTTP::uri]] }