Forum Discussion

tub91's avatar
tub91
Icon for Cirrus rankCirrus
3 years ago
Solved

WAF - Allow uploads of only files with certain extensions and block all other file uploads

Hi team, We need to make some blocks with our WAF on ASM because this block cannot be made on the application side. We have two web pages on the Internet that allow our customers to fill out a web ...
application delivery
security
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    3 years ago

    Hi tub91 , 
    Just to add somthing : 
    > let all learnt filetypes as it is , and do not delete them even if they are in a wildcard form or even specific filetypes for your application , this is for the stability of your application at all and this restriction should be applied on parameter level. 

    > Another point : 
    you should define 2 parameter in this ASM policy , Parameter with data type "file upload" and the other with "Alpha Numeric ". 
    Let me explain more : 
    you should have a parameter_1 needs to upload file on it’s like a container and this parameter should use (Data type = File upload) , and the other parameter should be triggered when you click "Button upload" let we call it Parameter_2 and you should define this parameter as ( an Alpha Numeric Data type ) With the Regular expression (ReGex) that I sent in the last reply. 

    Please check the below snap shots from my Lab : 

    - you can see " choose file Button " which defined as " filename " parameter in F5 ASM learning suggestions , and "select the image you want to uplaod" which defined as "userfile" Parameter in F5 Learning suggestion. 
    In " Filename " I should create it as ( type = user input value parameter , Data type = Alpha numeric , and add the Regex that I send before in last reply ) . 

    In "userfile" I should create it ( type = user input value , Data type = File upload ) 

    > I hope this helps you. 

     

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
3 years ago

Hi tub91 , 
> When you added these "  .jpg,.jpeg,.tiff,.tif,.pdf,.doc,.docx,.xls,.xlsx,.csv " as allowed file types , did you removed Wildcard "*" entity from filetype configuration page. 
Also make sure to enforce your allowed entities after removing "wildcard". 
After that go to " Learning and blocking settings "

and  choose filetypes and put a check mark in block box beside " illegal file type " 

- Any request contains other file type instead of these "  .jpg,.jpeg,.tiff,.tif,.pdf,.doc,.docx,.xls,.xlsx,.csv " should be blocked. 

> you asked about "test.txt" and "test.pdf" 
- "test.txt" will be blocked because you did not define ".txt" as allowed filetype entity.

- "test.pdf" will be allowed because you defined ".pdf" entity in allowed filetype entities.