xss attack

You can try to filter the URI using an iRule, but an attacker will be able to obfuscate their attack using many encoding schemes that the web server will probably parse and you won't be able to track in an iRule. An attacker could probably also send the malicious strings in the payload in POST requests. It would be very difficult to handle these scenarios in an iRule and still support typical production levels of traffic.

If you want to check if the decoded URI contains "script", you could use something like this (from Joe's Codeshare example Click here😞

 
 when HTTP_REQUEST { 
  
     URI decode the URI 
    set tmpUri [HTTP::uri] 
    set uri [URI::decode $tmpUri] 
  
     repeat decoding until the decoded version equals the previous value. 
    while { $uri ne $tmpUri } { 
       set tmpUri $uri 
       set uri [URI::decode $tmpUri] 
    } 
    if {[string tolower $uri] contains "script"]}{ 
  
        Found script in the decoded URI.  Do something? 
       HTTP::respond 404 
    } 
 } 
 

Aaron

I should add that the best way to handle this efficiently and securely is to use a web app firewall and fix the application code. Trying to use an iRule to implement HTTP security is not going to be both efficient and complete.

 

 

Aaron