For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Emad's avatar
Emad
Icon for Cirrostratus rankCirrostratus
Nov 28, 2013

Stop POST requests.

Hi. I was working to stop certain type of requests to web servers via LTM Irule. Right now i can stop different patterns in HTTP GET request i.e via URI. but i also want to stop certain patterns in POST and PUT requests. For example there is a irule to stop command execution via URI but when i try to execute command in POST it does not work as it only ready uri part. I need to control post requests.

 

Example Irule: when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { ".exe" - ".dll" { reject; } } }

 

application delivery
design
devops
iRules
security

6 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 28, 2013

    Not sure if your iRule is quite right. Try:

    when HTTP_REQUEST { 
  switch -glob [string tolower [HTTP::uri]] { 
   "*.exe" - 
   "*.dll" { 
   reject
  }
 }
}

    Hope this helps,

    N

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Nov 28, 2013

    Issue is it only reade uri of http request in method type get. It does not read POST data contents. and i want to read that.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 28, 2013

    In order to control POSTs you'd need to collect and inspect the HTTP body and this could have performance implications. Equally, searching on a pattern such as 'exe' is likely to block valid requests (when the work execute is found for example) unless you're very careful. Is this really necessary where POSTs are concerned? What's the risk you are trying to mitigate?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 28, 2013

    A POST will generally have a payload that you need to worry about, but it will also have a URI. So your mitigation a are dependent on the injection point. An example POST request:

    POST /foo/bar/test.exe HTTP/1.1
Host: www.example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla...

username=foo&password=bar&execute=test.exe

    So you could still look at the URI in a POST request, but then you can also look at the payload, which would require a collection. If I had to guess, I would assume your application predominantly uses GETs, so the overhead of collecting on POSTs, and potentially a subset of POSTs based on some trigger URIs, wouldn't be too overwhelming.

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Nov 29, 2013

    I have some of PHP based application and normally payload is passed in GET request to exploit any vulnerability. I am also working on ASM. Issue is there are some exploits which work in GET aswell as in POST data. www.abc.com/index.php is a valid URL, illegal request is www.abc.com/index.php?admin:$val, Commonly these type of request work in GET or by typing URL. But if use any Utilty for sending post data .i.e; ?admin:$val for URL : www.abc.com/index.php it works. so i want to stop that one. so at the moment my requirement is to stop this part of HTTP Request:

     

    POST /foo/bar/test.exe HTTP/1.1

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 29, 2013

    I'm not sure, but it seems like the objective has changed since the beginning of this thread.

    For example there is a irule to stop command execution via URI but when i try to execute command in POST it does not work as it only ready uri part. I need to control post requests.

    If you just need to filter on the URI portion of a request (GET, POST, etc.). Example:

    POST /foo/bar/test.exe HTTP/1.1    
GET /foo/bar/test.exe HTTP/1.1

    then the original iRule using HTTP::uri should work. If however you need to filter on the POST payload, the data that comes after the HTTP headers, then you need to first HTTP::collect it.