Forum Discussion

mikegray_198028's avatar
mikegray_198028
Icon for Cirrus rankCirrus
Dec 08, 2016

uri hiding/encrypting

admin/App/frameset.jsp?name=Sessions url=..%2FApp%2FSessions%2FsessionsFrameSet.faces%3FappKind%3DCMC%26bttoken%3DMDAwRENRbzJQNmRKYUpXW2c7Z29XOlBNVEFYTF5d

Here you can see ".." present in the url hence waf/ips considered its as directory traversal. can we hide this or change this url with out modifying app

application delivery
BIG-IP
LTM

5 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 08, 2016

    Hi Mike,

    if disabling of directory traversal attack signatures is not an option for you, then you may try to remove the directory traversal before passing the request to ASM and simply restore it right after.

    when HTTP_REQUEST { 
    if { [HTTP::uri] contains ".." } then {
        set dir_traversal [HTTP::uri]
        HTTP::uri [string map { ".." "traversal" } [HTTP::uri]]
    }
}
when HTTP_REQUEST_SEND {
    if { [info exists dir_traversal] } then {
        clientside {
            HTTP::uri $dir_traversal
        } 
    }
}

    Cheers, Kai

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Dec 08, 2016

      Hi Mike,

       

      No, the provided iRule will most likely be able to trick out ASM, since its just hiding the traversal syntax within your F5 and not on the wire.

       

      To help you further you may explain if the IDS/IPS system is located in-front or behind your F5? Based on the answer we may find another solution to change the stuff on the wire to meet your requirements.

       

      Cheers, Kai

       

    • mikegray_198028's avatar
      mikegray_198028
      Icon for Cirrus rankCirrus
      Dec 08, 2016

      Kai please see the traffic flow

       

      User > f5 vip with ssl > juniper ips > ihs web server juniper ips > app server > db server