Hi.
I'm working on a solution for a 'forgot my password' scenario, in which my server generates a temporary URL (url with a hash parameter, valid for X hours) and sends it to the clients.
I want to the ASM to allow the temporary URL (or hash parameter) only as long as it is valid, and block the same URL with invalid parameters.
Is there a way to add or remove allowed parameters to a URL during runtime?
Is there a way to do this using an API (java / REST / other)?
04-Jul-201700:41 - last edited on 03-Jun-202310:00 by JimmyPackets
Hi,
you can manage it with an irule (store 302 redirect URL parameter in a table) and raise a ASM user-defined violation if the URL is not in table. (not tested)
when HTTP_RESPONSE {
if {[HTTP::status] equals 302 && [set id [URI::query [HTTP::header Location] myparameter]] ne ""} {
table set -subtable resetPassword $myparameter 0 7200
}
unest id
}
when HTTP_REQUEST {
set reqBlock 0
if {([HTTP::path] equals "/reset/url") && ([set id [URI::query [HTTP::uri] myparameter]] ne "") && !([table lookup -subtable resetPassword $id])} {
set reqBlock 1
}
unset id
}
when ASM_REQUEST_DONE {
Block not allowed request with ASM if enabled. Raise ASM user defined violation FILTER_IRULE_VIOLATION
if {$reqBlock} {
set violation_details [list [list Reason iRule_Event]]
lappend violation_details [list Filter Denied_URL]
ASM::raise FILTER_IRULE_VIOLATION $violation_details
}
}
