Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Help with ASM URL wildcard syntax

Jonathan_c
Altocumulus
Altocumulus

‎07-Nov-2022 03:18

Hi,

I need to create a URL whitelist for a directory structure such as this:

/constant-name/constant-name/any-name/any-name/.../.../*.css

/constant-name/constant-name/any-name/any-name/.../.../*.pdf

/constant-name/constant-name/any-name/any-name/.../.../*.xml

So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be.

How would I go about putting it in a the ASM syntax?

Thanks

 

Labels:
0 Kudos
11 REPLIES 11

Mohamed_Ahmed_Kansoh
MVP
MVP

‎07-Nov-2022 03:41 - edited ‎07-Nov-2022 03:45

Hi @Jonathan_c , 

Try this : 
      /constant-name/constant-nam/*.css
     /constant-name/constant-name/*.xml

    /constant-name/constant-name/*.pdf 
- Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
- Also Make sure that you configure ( pdf , xml , css ) as allowed file types. 

Also refer to these KBs : 
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.h...

and this as well : 
https://support.f5.com/csp/article/K8623

it will help you much for correct syntax. 
hope this help you. 
Thanks

 

_______________________
Regards
Mohamed Kansoh

Jonathan_c
Altocumulus
Altocumulus
In response to Mohamed_Ahmed_Kansoh

‎07-Nov-2022 04:30

Hi Mohamed,

Thanks for your suggestions.

Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:

/folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css

if i'll add the URL like you suggested, won't it also allow the above example?

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Jonathan_c

‎07-Nov-2022 05:13 - edited ‎07-Nov-2022 05:15

Hi @Jonathan_c , 
        well , 
 I thought that you want to create these URLs as allowed. 

> My recomendation is : 
Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.  
choose if your application is  Http or https and  it should be like this : " *ping* " . 

ASM Test.PNG

Or 

you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy. 

If you want to test the Cusom ping attack signature , I can do it and send the results to you. 
or Check this KB :
 
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-1...


I hope it work with you
Ty 

_______________________
Regards
Mohamed Kansoh

Jonathan_c
Altocumulus
Altocumulus
In response to Mohamed_Ahmed_Kansoh

‎07-Nov-2022 05:19

Hi,

I gave the PING as an example from a true case we had. but it could be any type of code.

The issue is that our policy is whitelist based, and we have a bunch of URLs which we need to allow, like the one I wrote in the original post, but we still want to reject such attempts of code injections.

So from the one hand, we need the wildcard there, for subfolders and file names. 

From the other hand, the wildcard allows the code injection...

 

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Jonathan_c

‎07-Nov-2022 07:03 - edited ‎07-Nov-2022 09:28

@Jonathan_c 
well , I think at this Case you need to add all attack signature sets which related to Code injections such as " server side code injections and ... more " and make sure that you enforced them all. 

or
> you can add all of these suspected codes as a disallowed  wildcard urls , like we did with

" *ping* " , 

> Also , configure well ( http protocol compliance and Evasion technique ) in ASM learning and blocking settings. 
Because I thing a request looks like this " folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css " should be blocked by ( http protocol compliance or Evasion technique ). 

> that was my opinion , I will do further tests in my test environment. 
If I get an optimal solution meets your needs , I will share it here directly. 

Thanks

_______________________
Regards
Mohamed Kansoh

Nikoolayy1
MVP
MVP

‎07-Nov-2022 11:12 - edited ‎07-Nov-2022 11:13

Hello @Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?

 

@Mohamed_Ahmed_Kansoh  suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Nikoolayy1

‎07-Nov-2022 12:05

Thanks @Nikoolayy1 , 
        I did not use positional parameters before , it is very useful option to use. 

_______________________
Regards
Mohamed Kansoh

Nikoolayy1
MVP
MVP
In response to Mohamed_Ahmed_Kansoh

‎07-Nov-2022 12:13 - edited ‎07-Nov-2022 12:17

Yup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as @Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Nikoolayy1

‎07-Nov-2022 12:54

@Nikoolayy1 
yes as you said , I know that there is an Attack signature preventing ping executions. 
but sometimes I test to inject such these codes in urls but it does not be blocked be blocked because it matches attack pattern , 
such as this Example " https://shoping.com/index/curl -v 10.20.20.20/items/..... 
Curl should be Blocked because it matches with attack signature and i am sure it is enforced. 
whereas when writing this " https://shoping.com/index/<script>/items/....." it is blocked because it matches with XSS signature pattern. 

But , in any case this  request " https://shoping.com/index/curl -v 10.20.20.20/items/....."

should be blocked because it violates http protocol compliance. 

> I think the command execusion differs from XXS from Attack signature Patterns perspective , 
I think command execustion will be blocked if it get an output from backend server. 

This is my thought , I will be happy if you correct me. 
Thanks @Nikoolayy1 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Jonathan_c
Altocumulus
Altocumulus

‎07-Nov-2022 23:22

I also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.

for example, if I'll create a URL with positional parameters like this:

Jonathan_c_1-1667891955705.png

Won't it will still allow a code injection where the wildcard is (marked red)?

Also, does this wildcard accepect one path level or any number of subfolders?

Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.

Thank you Nikoolay and Mohamed for your inputs, they really helped me.

 

0 Kudos

Nikoolayy1
MVP
MVP
In response to Jonathan_c

‎08-Nov-2022 02:40 - edited ‎08-Nov-2022 02:41

Better read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.

 

That is my opinion and the input I can provide.

0 Kudos
Copyright © 2023 Khoros, LLC