Forum Discussion

Cirrus

May 19, 2021

XFF and sleep

Recently I was asked about mitigating the below XFF header: X-Forwarded-For: (select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/ ...

MVP

May 19, 2021

Hi Dave,

you can block this by enforcing Attack Signature ID 200000074 (SQL-INJ "end-quote select" (Headers)).

Another approach could be to use an iRule or LTM Policy to scrub any XFF header from the HTTP Request. Unless there is a device in front of the BIG-IP that would insert such header, why would a client send a XFF header...

Daniel

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

XFF and sleep

Recent Discussions

F5 looses the token for the first call

ports are showing open on online scanning tool

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

Related Content

XFF Universal Persistence iRule

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

XFF replace iRule help

XFF Header Persistence iRule

Insert XFF on F5 BIG-IP DNS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS