Forum Discussion
Yozzer
Nimbostratus
NimbostratusXSS checks in irule
Hi
Can an irule check for special chars in a switch statement?
switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {
"*<" {
set variable "xss"
}
"*>" {
set variable "xss"
}
"*)" {
set variable "xss"
}
"*%" {
set variable "xss"
}
And can i check another parameter using a switch statement after the first one (I only need to check 2)?
when HTTP_REQUEST_DATA {
switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {
"<" {
set variable "xss"
}
">" {
set variable "xss"
}
")" {
set variable "xss"
}
"%" {
set variable "xss"
}
}
switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param2]] {
"<" {
set variable "xss"
}
">" {
set variable "xss"
}
")" {
set variable "xss"
}
"%" {
set variable "xss"
}
}
Thanks
hoolioCirrostratus
Hi Yozzer,
Yes, you can check for potentially malicious metacharacters in a parameter value using an iRule. You might want to add a * to the end of the switch cases if you want to match the character at any position instead of just at the end of the parameter value. You'll also need to collect the full payload using HTTP::collect in HTTP_REQUEST if you want to check parameter values in POST payloads.
https://devcentral.f5.com/wiki/iRules.http__collect.ashx
Aaron
YozzerSo "*%*" for each would pick it up anywhere it appears?
e.g. param1=%blah%blah%
I just need it to trigger on at least 1 of them wherever it is in the parameter.
Thanks- YozzerI have noticed that it wont trigger if i check for % or :
"*%*" or "**"
Any ideas?
Thanks - YozzerHi
Is it possible to have the input to the switch checked by ASM to identify XSS checks? I want to prevent null byte attacks in POST parameters.
Is it possible to check the switch payload for the number of parameters. I want to disregard it is it has more than 2. I can accept Param1 and Param2 but if i see any other then i want to dump it as the POST request has been tampered with.
Thanks - YozzerThis seemed to solve the null byte issue and simplified my irule checks:
if { [matchclass [string tolower [HTTP::payload]] contains xssblocked] }{
HTTP::respond 403 "Blocked"
Would just like to count the number of times the & char appears in the payload and throw an exception if there is more than 1 found. Any ideas? - YozzerHi
Which command can i use to count the number of times the & character appears in the [HTTP::payload] and throw an exception if there is more than 1 found.
Thanks - hoolioJason pointed out a nice trick for this. You can get a count of the number of instances of a character using split and llength:
llength [split [HTTP::payload] &]
Or to be more exact, you'd want to subtract one:
% set str {name1=value1&name2=value2&name3=value3}
% split $str &
name1=value1 name2=value2 name3=value3
% llength [split $str &]
3
Or together:
% expr {[llength [split $str &]] -1}
2
But really, ASM gives you much better normalization and validation. For example, you could apply all of the XSS attack signatures to all parameters. If you have a specific POST request you want to restrict the number of parameters to 1 for, you can configure this in the ASM policy.
Aaron - YozzerThanks Aaron, this worked
if { [llength [split [HTTP::payload] &]] > 2 } {
do something
}