Forum Discussion

Yozzer's avatar
Yozzer
Icon for Nimbostratus rankNimbostratus
Mar 07, 2012

XSS checks in irule

Hi

 

 

Can an irule check for special chars in a switch statement?

 

 

 

switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {

 

"*<" {

 

set variable "xss"

 

}

 

"*>" {

 

set variable "xss"

 

}

 

"*)" {

 

set variable "xss"

 

}

 

"*%" {

 

set variable "xss"

 

}

 

 

And can i check another parameter using a switch statement after the first one (I only need to check 2)?

 

 

when HTTP_REQUEST_DATA {

 

 

 

switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {

 

"<" {

 

set variable "xss"

 

}

 

">" {

 

set variable "xss"

 

}

 

")" {

 

set variable "xss"

 

}

 

"%" {

 

set variable "xss"

 

}

 

}

 

 

switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param2]] {

 

"<" {

 

set variable "xss"

 

}

 

">" {

 

set variable "xss"

 

}

 

")" {

 

set variable "xss"

 

}

 

"%" {

 

set variable "xss"

 

}

 

 

}

 

 

Thanks

 

 

  • Hi Yozzer,

     

     

    Yes, you can check for potentially malicious metacharacters in a parameter value using an iRule. You might want to add a * to the end of the switch cases if you want to match the character at any position instead of just at the end of the parameter value. You'll also need to collect the full payload using HTTP::collect in HTTP_REQUEST if you want to check parameter values in POST payloads.

     

     

    https://devcentral.f5.com/wiki/iRules.http__collect.ashx

     

     

    Aaron
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    So "*%*" for each would pick it up anywhere it appears?

     

     

    e.g. param1=%blah%blah%

     

     

     

    I just need it to trigger on at least 1 of them wherever it is in the parameter.

     

     

    Thanks

     

  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    I have noticed that it wont trigger if i check for % or :

     

     

    "*%*" or "**"

     

     

    Any ideas?

     

     

    Thanks

     

  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    Hi

     

     

    Is it possible to have the input to the switch checked by ASM to identify XSS checks? I want to prevent null byte attacks in POST parameters.

     

     

    Is it possible to check the switch payload for the number of parameters. I want to disregard it is it has more than 2. I can accept Param1 and Param2 but if i see any other then i want to dump it as the POST request has been tampered with.

     

     

    Thanks

     

  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    This seemed to solve the null byte issue and simplified my irule checks:

     

     

    if { [matchclass [string tolower [HTTP::payload]] contains xssblocked] }{

     

    HTTP::respond 403 "Blocked"

     

     

    Would just like to count the number of times the & char appears in the payload and throw an exception if there is more than 1 found. Any ideas?
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    Hi

     

     

    Which command can i use to count the number of times the & character appears in the [HTTP::payload] and throw an exception if there is more than 1 found.

     

     

    Thanks
  • Jason pointed out a nice trick for this. You can get a count of the number of instances of a character using split and llength:

     

     

    llength [split [HTTP::payload] &]

     

     

    Or to be more exact, you'd want to subtract one:

     

     

    % set str {name1=value1&name2=value2&name3=value3}

     

     

    % split $str &

     

    name1=value1 name2=value2 name3=value3

     

     

    % llength [split $str &]

     

    3

     

     

    Or together:

     

     

    % expr {[llength [split $str &]] -1}

     

    2

     

     

    But really, ASM gives you much better normalization and validation. For example, you could apply all of the XSS attack signatures to all parameters. If you have a specific POST request you want to restrict the number of parameters to 1 for, you can configure this in the ASM policy.

     

     

    Aaron
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    Thanks Aaron, this worked

     

     

    if { [llength [split [HTTP::payload] &]] > 2 } {

     

    do something

     

    }