cancel
Showing results for 
Search instead for 
Did you mean: 

Block specific parameter value

AHMADAD
Altostratus
Altostratus

Hello All, 

I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below.

BLOCK : https://hostname/index.html?para1=https://example.com

ALLOW: https://hostname/index.html?para1=name1.html

I dont have the option to use static parameter type because of the nature of the web app, can someone share ideas or best approch ? 

4 REPLIES 4

Hi @AHMADAD

you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:

ALLOW: https://hostname/index.html?para1=name1.html

Or do you consider this a page and pages are allowed?

Could you explain what you are trying to protect or prevent with this?  Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature

However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.

KR
Daniel

Hi Daniel, 

Thank you for your response.

Exactly, i considered this a page and its allowed but i don't want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉 

Thanks for sharing the CSRF link, we don't want to apply this solution as we have not tested it for this specific application and it may has negative side effects 

Ismael_Goncalves
F5 Employee
F5 Employee

Hi @AHMADAD,

It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:

1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)
2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter
3) Configure minum/maximum lenght of the parameter
4) Configure the parameter with a Regular Expression representing the data you are expecting 
5) Configure an Enum list in the param with expected values (this is completely static)
6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-ssrf.html and here https://support.f5.com/csp/article/K86285140 

My 2 cents.

 

Hi @Ismael_Goncalves

Thanks a lot for the helpful options,  i will definitely consider options 1,2 and 6.