Forum Discussion

Alfonso_Santia2's avatar
Alfonso_Santia2
Icon for Altostratus rankAltostratus
Feb 20, 2023

Drop requests with changes in hostname.

This is the iRule of customer:

when HTTP_REQUEST {
if { not ([string tolower [HTTP::host]] equals "test.bank.com") } {
log local0. "400 [HTTP::host]"
HTTP::respond 400 -version auto content "Bad Request" "Content-Type" "text/html"
}
elseif { not ([string tolower [HTTP::uri]] starts_with "/etest") } {
log local0. "302 [HTTP::host] [HTTP::uri]"
HTTP::respond 302 -version auto Location https://test.bank.com/etest[HTTP::uri]
}
return
}

What happens now with this iRule is that all legitimate requests are being redirectd to https://test.bank.com/etest but they have other uri on the host test.bank.com (ex. test.bank.com/emobile)

According to the customer what they want is when a client changes the host name to for example test2.bank.com, the VIP should not respond with 200 OK. But requests with correct hostname will be passed with correct URI.
That is, requests with test.bank.com/etest will go to test.bank.com/etest or test.bank.com/emobile to test.bank.com/emonile. But requests with test2.bank.com/etest or test.bank2.com/emobile are dropped with a message.

This requirement is for Host Injection vulnerability.

Any advise on what to change on the above iRule?

application delivery

2 Replies

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Feb 20, 2023

    Alfonso_Santia2 Based on the customer request you do not have to issue the 302 redirect unless for some reason you are going from HTTP to HTTPS which doesn't seem to have been specified in the information provided above for the desired behavior. Because this was not mentioned the following iRule should do what you are expecting and it does not have a redirect because again that doesn't seem to be part of the expected behavior. If this is indeed an iRule associated to an HTTP virtual server (VS) and it needs to redirect to HTTPS we can amend the iRule accordingly. You can also adjust the logging line in the else part of the if else statement to provide other data rather than just "Is host ${host}" in the output to your log.

    when CLIENT_ACCEPTED priority 500 {

    set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

    set HOST [HTTP::host]

    if { ${HOST} != "test.bank.com" } {
        log local0. "400 ${HOST}"
        HTTP::respond 400 -version auto content "Bad Request" "Content-Type" "text/html"
    } else {
        log local0. "Is host ${HOST}"
        pool $DEFAULT_POOL
    }

}

     

    • Alfonso_Santia2's avatar
      Alfonso_Santia2
      Icon for Altostratus rankAltostratus
      Feb 23, 2023

      Thank you for your reply. We will test this during the weekend and inform you what happens. Thanks again.