07-Nov-2022 03:18
Hi,
I need to create a URL whitelist for a directory structure such as this:
/constant-name/constant-name/any-name/any-name/.../.../*.css
/constant-name/constant-name/any-name/any-name/.../.../*.pdf
/constant-name/constant-name/any-name/any-name/.../.../*.xml
So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be.
How would I go about putting it in a the ASM syntax?
Thanks
07-Nov-2022 03:41 - edited 07-Nov-2022 03:45
Hi @Jonathan_c ,
Try this :
/constant-name/constant-nam/*.css
/constant-name/constant-name/*.xml
/constant-name/constant-name/*.pdf
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types.
Also refer to these KBs :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.h...
and this as well :
https://support.f5.com/csp/article/K8623
it will help you much for correct syntax.
hope this help you.
Thanks
07-Nov-2022 04:30
Hi Mohamed,
Thanks for your suggestions.
Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:
/folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css
if i'll add the URL like you suggested, won't it also allow the above example?
07-Nov-2022 05:13 - edited 07-Nov-2022 05:15
Hi @Jonathan_c ,
well ,
I thought that you want to create these URLs as allowed.
> My recomendation is :
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.
choose if your application is Http or https and it should be like this : " *ping* " .
Or
you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy.
If you want to test the Cusom ping attack signature , I can do it and send the results to you.
or Check this KB :
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-1...
I hope it work with you
Ty
07-Nov-2022 05:19
Hi,
I gave the PING as an example from a true case we had. but it could be any type of code.
The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.
So from the one hand, we need the wildcard there, for subfolders and file names.
From the other hand, the wildcard allows the code injection...
07-Nov-2022 07:03 - edited 07-Nov-2022 09:28
@Jonathan_c
well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all.
or
> you can add all of these suspected codes as a disallowed wildcard urls , like we did with
" *ping* " ,
> Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings.
Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ).
> that was my opinion , I will do further tests in my test environment.
If I get an optimal solution meets your needs , I will share it here directly.
Thanks
07-Nov-2022 11:12 - edited 07-Nov-2022 11:13
Hello @Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?
@Mohamed_Ahmed_Kansoh suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.
07-Nov-2022 12:05
Thanks @Nikoolayy1 ,
I did not use positional parameters before , it is very useful option to use.
07-Nov-2022 12:13 - edited 07-Nov-2022 12:17
Yup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as @Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.
07-Nov-2022 12:54
@Nikoolayy1
yes as you said , I know that there is an Attack signature preventing ping executions.
but sometimes I test to inject such these codes in urls but it does not be blocked be blocked because it matches attack pattern ,
such as this Example " https://shoping.com/index/curl -v 10.20.20.20/items/.....
Curl should be Blocked because it matches with attack signature and i am sure it is enforced.
whereas when writing this " https://shoping.com/index/<script>/items/....." it is blocked because it matches with XSS signature pattern.
But , in any case this request " https://shoping.com/index/curl -v 10.20.20.20/items/....."
should be blocked because it violates http protocol compliance.
> I think the command execusion differs from XXS from Attack signature Patterns perspective ,
I think command execustion will be blocked if it get an output from backend server.
This is my thought , I will be happy if you correct me.
Thanks @Nikoolayy1
07-Nov-2022 23:22
I also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.
for example, if I'll create a URL with positional parameters like this:
Won't it will still allow a code injection where the wildcard is (marked red)?
Also, does this wildcard accepect one path level or any number of subfolders?
Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.
Thank you Nikoolay and Mohamed for your inputs, they really helped me.
08-Nov-2022 02:40 - edited 08-Nov-2022 02:41
Better read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.
That is my opinion and the input I can provide.