iRule Security 101 - #02 - HTTP Methods and Cross Site Tracing

In this installment of iRule Security 101, I'll refer to OWASP's Data Validation Test "Testing for HTTP Methods and XST (Cross Site Tracing)" and illustrate how to use iRules to build a defense mecha...
Published Aug 13, 2007
Version 1.0
101
adn
basic
BIG-IP
dev
getting started
security
Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Apr 17, 2014
Wondering if this has changed in recent versions at all?

 

 

Also thinking the method is back to front entirely, but that is easily fixed.

 

 

Since new methods may be added to HTTP, we should whitelist allowed methods not blacklist denied methods.

 

 

We can do that here, last time I did it was with Squid proxy 2.mumble, and there you could only "deny" methods in the config file, so I wrote a script to extract methods known from where they were enumerated in the Squid proxy header file, and deny all those not on my whitelist. Since Squid proxy has the decency to reject http methods it doesn't recognise this was adequate - of course it wasn't choosy out of the box and TRACE and all of WebDAV methods were allowed by default.