File Uploads and ASM

File Uploads through a WAF Let’s say we have a web application with a form field that permits the upload of arbitrary files.  It would appear to the user similar to the below: Aside fro...
Published Dec 30, 2015
Version 1.0
ASM Advanced WAF
deployment
security
waf
Jiri_Rosenmayer's avatar
Jiri_Rosenmayer
Icon for Altostratus rankAltostratus
May 09, 2018

I've been using your iRule a bit, but we realized there is one problem with it. Imagine, there is a request which violates like 15 different violations(so it is a real attack). And now with your iRule, if one of the violations would be attack signature in context request, it would be unblocked. I've found a way how to improve the iRule. It reads the violation details, and if it finds other violation than VIOL_ATTACK_SIGNATURE in other context than request, it will keep blocking the request. 

 when ASM_REQUEST_VIOLATION {
  log local0. "ASM Violation: [HTTP::method], [string tolower [HTTP::path]], [ASM::violation names] ; [ASM::violation details] "
  if {([HTTP::method] equals "POST") and ([class match [string tolower [HTTP::path]] equals upload-paths]) and ([string tolower [HTTP::header "Content-Type"]] contains "multipart/form-data") } {
     set details [ASM::violation details]
     set i 0
     set only_attack_context_request 1
     foreach {viol} $details {
       if { [lindex ${viol} 0] equals "viol_name" } {
         log local0. "ASM 01 $viol; [lindex ${details} [expr {$i+1}]]"
         if { ($viol ne "viol_name VIOL_ATTACK_SIGNATURE" ) or ([lindex ${details} [expr {$i+1}]] ne "context request") } {
           set only_attack_context_request 0
         }
       }
       set i [expr {$i+1}]
     }    
     if {$only_attack_context_request == 1 } {
      ASM::unblock
      log local0. "ASM unblocked [HTTP::method], [string tolower [HTTP::path]], [ASM::violation details] "
     }
  }
}