File Uploads and ASM
File Uploads through a WAF
Let’s say we have a web application with a form field that permits the upload of arbitrary files. It would appear to the user similar to the below:
Aside fro...
Published Dec 30, 2015
Version 1.0
Jiri_Rosenmayer
Altostratus
AltostratusI've been using your iRule a bit, but we realized there is one problem with it. Imagine, there is a request which violates like 15 different violations(so it is a real attack). And now with your iRule, if one of the violations would be attack signature in context request, it would be unblocked. I've found a way how to improve the iRule. It reads the violation details, and if it finds other violation than VIOL_ATTACK_SIGNATURE in other context than request, it will keep blocking the request.
when ASM_REQUEST_VIOLATION {
log local0. "ASM Violation: [HTTP::method], [string tolower [HTTP::path]], [ASM::violation names] ; [ASM::violation details] "
if {([HTTP::method] equals "POST") and ([class match [string tolower [HTTP::path]] equals upload-paths]) and ([string tolower [HTTP::header "Content-Type"]] contains "multipart/form-data") } {
set details [ASM::violation details]
set i 0
set only_attack_context_request 1
foreach {viol} $details {
if { [lindex ${viol} 0] equals "viol_name" } {
log local0. "ASM 01 $viol; [lindex ${details} [expr {$i+1}]]"
if { ($viol ne "viol_name VIOL_ATTACK_SIGNATURE" ) or ([lindex ${details} [expr {$i+1}]] ne "context request") } {
set only_attack_context_request 0
}
}
set i [expr {$i+1}]
}
if {$only_attack_context_request == 1 } {
ASM::unblock
log local0. "ASM unblocked [HTTP::method], [string tolower [HTTP::path]], [ASM::violation details] "
}
}
}