cancel
Showing results for 
Search instead for 
Did you mean: 
Cspillane_18296
Nimbostratus
Nimbostratus

Problem this snippet solves:

This (untested) iRule should block some SQL attack attempts in the query string. It's not a substitute for ASM as no checking of post data parameters is done, but it does demonstrate the power of iRules!

It's my first CodeShare effort so my apologies if it is not to the usual standard!

How to use this snippet:

Uses the FullyDecodeUri example and a switch statement.

Notes

Note that the unbounded while loop in this iRule may be dangerous. Due to a flaw in URI::decode (ID 337562), it is possible that for some URI's, $uri will never equal $tmpUri, and the loop will continue forever. The variables will keep growing in length, leading to a TMM core. Capping the amount of possible iterations of the while loop is a wise idea.

Code :

#irule_to_block_some_SQL_attacks
when HTTP_REQUEST {

   # set URI to lower case
   set tmpUri [string tolower [HTTP::uri]]

   # URI decode the URI
   set uri [URI::decode $tmpUri]

   # repeat decoding until the decoded version equals the previous value.
   while { $uri ne $tmpUri } {
      set tmpUri $uri
      set uri [URI::decode $tmpUri]
   }

   switch -glob [string tolower [HTTP::uri]] {
      "*<*" -
      "*>*" -
      "*select *" -
      "*insert *" -
      "*update *" -
      "*delete *" -
      "*create *" -
      "*drop *" -
      "*.\[tempdb\].*" -
      "*.\[master\].*" -
      "*.\[model\].*" -
      "*.\[msdb\]." -
      "*.\[dbo\].*" -
      "*tempdb.*" -
      "*master.*" -
      "*model.*" -
      "*msDB.*" -
      "*.dbo.*" -
      "*script*" -
      "*\r\n*" -
      "*%*" {
         # Send a TCP reset
 reject
      }
      default {
         # Do nothing here to use the VIP's default pool
      }
   }
}
Version history
Last update:
‎18-Mar-2015 12:07
Updated by:
Contributors