I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below.
BLOCK : https://hostname/index.html?para1=https://example.com
I dont have the option to use static parameter type because of the nature of the web app, can someone share ideas or best approch ?
you say that you want to prevent sites and hostnames as parameter value. But in my opinion this is a site:
Or do you consider this a page and pages are allowed?
Could you explain what you are trying to protect or prevent with this? Are you trying to protect yourself from CSRF? There is a solution for this: K11930: Overview of the BIG-IP ASM CSRF protection feature.
However, in my opinion this rather sounds like something that should be solved at the level of the application and not in a WAF.
Thank you for your response.
Exactly, i considered this a page and its allowed but i don't want users to insert sites in parameter values, i 100% agree with you that this is something should be resolved at application side but was trying to help in my end as workaround 😉
Thanks for sharing the CSRF link, we don't want to apply this solution as we have not tested it for this specific application and it may has negative side effects
It seems you are trying to protect against a SSRF attack. We would need to know more on the what kind of input should be allowed in this parameter, but I antecipate a couple of options that could help you mitigating the problem:
1) Configure SSRF signatures on the parameters to prevent common SSRF targets (this might not cover all the attack scenarios)
2) Disable meta character "/" and "." in case they are not expected (as well as other meta-characters) for the parameter
3) Configure minum/maximum lenght of the parameter
4) Configure the parameter with a Regular Expression representing the data you are expecting
5) Configure an Enum list in the param with expected values (this is completely static)
6) If you are on BIG-IP 16.1.x verify if the SSRF protection could help with your scenario: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/mitigating-ssrf.html and here https://support.f5.com/csp/article/K86285140
My 2 cents.
Thanks a lot for the helpful options, i will definitely consider options 1,2 and 6.