F5 ASM appears not blocking filetypes in http query

Abed_AL-R · ‎23-Mar-2022

F5 v15.1.3.1

My F5 ASM policy is configured to block command executions and illegal file types

but for example if I try to browse this url:

https://my.web.site/netstat.exe

Then ASM blocks the request

But if I try https://my.web.site/path?netstat.exe

It is not getting blocked

Any explanation?

Samir · ‎23-Mar-2022

Good question..

1. https://my.web.site/netstat.exe ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request.

Abed_AL-R · ‎23-Mar-2022

thanks for the reply

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?

and how should I act on positional parameters to block these kind of request?

Samir · ‎23-Mar-2022

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

and how should I act on positional parameters to block these kind of request?

Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
Parameter Level: URL, URL Path: GET, Location: Query string, Parameter Value Type: User-input values, Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$

Hope it will work.

Abed_AL-R · ‎30-Mar-2022

Hi

Thanks for your response

That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:

1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$

2)_ Create Attack Signature List
    Security  ››  Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
    Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy
    Security  ››  Application Security : Security Policies : Policies List  ››  <Policy_name>  >> Attack Signatures

Samir · ‎31-Mar-2022

Thank you so much for adding comments. can you please through some light on step 3

Abed_AL-R · ‎01-Apr-2022

To be honest, I skiped step 3 🙂

Jefferson_Navar · ‎09-Apr-2022

In order to block the request, you can follow these steps:

1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
Tool: https://regex101.com/

2)_ Create Attack Signature List.
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create custom "Attack Signature Sets"
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy

5)_ Test

DevCentral

F5 ASM appears not blocking filetypes in http query

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

F5 ASM appears not blocking filetypes in http query

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards