Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Irule to block a request if Content-Disposition name is not avail.

Muhannad
Cirrus
Cirrus

‎09-Jul-2023 00:56

Dear Experts,

i need your help to  write an IRule that match the URL (Test/test1) and if doesnt have the Content-Disposition: form-data; name="CaptchaCode, i want to drop the request, i have tried to match it via the below Irule but it seems that it doesnt match it, below more information:

The Request:

POST /test/test1 HTTP/1.1
Host: Test.com
Connection: keep-alive
Content-Length: 2675
Cache-Control: max-age=0
sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: null
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Cookie: Microsoft.AspNetCore.Localization.CookieRequestCultureProvider=CfDJ8Hy2PC-jQdNKhuG0yBqr2pwuICqrbayYLFPEIpxuI-toOjX2-lZTdq4qvzmHhCrKpL_iIQA85JUw0RxJXrCGVWH-bkTwX8c0lsbREciH7ekQeVBX_kBUhLybWmjTM2dmfrKwHYsFxLMJhVNzn8WD2Wk; TS01c0d31c=01f62dab761e4c54d1f34b73260c073a86ad157056848b710e67c0327d5fc6f2dd386447f7b294989d59825dc391eee3e38a9f3d0178eeb9244b5656fc9e7cb47f2567ce5ad4010bd5d19e44461e272fa38724e0a1; _ga=GA1.1.862382927.1679483115; _fbp=fb.1.1681724603251.1345688915; __utmz=122826463.1686725330.10.3.utmcsr=madfooat.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _gcl_au=1.1.1938501219.1687336682; __utmc=122826463; .AspNetCore.Session=CfDJ8Hy2PC+jQdNKhuG0yBqr2pzgnQyXxhysaTKmTfA8eaiI6WDLyubGN89tFuaEm/oJo2KJ+2BenQYwVniuQ6FDw39x7bzdejDfEmi5jUkK14BA6lFrLXRhHUNdIO0a+tan887i6JDNuVVNjJiEzyyEVHoFGxlDCKviUWG/l8bSXMks; _ga_S6HQN1W6GB=GS1.1.1688625327.34.1.1688625408.0.0.0; RT="z=1&dm=efawateercom.jo&si=y106dy8bvir&ss=ljqrxddm&sl=0&tt=0"; __utma=122826463.862382927.1679483115.1688625337.1688733349.16; TS01200b3d=01f62dab760935cb34cad590166765f4482513b87f414c1fda020c4300b26f1318555dcd934d865f63c2ecc76a87b3ded66be33aee15d5a8cd05a4c89ef4cbb39746897a43; _ga_3XMB8ZPWFQ=GS1.1.1688733347.30.1.1688734130.0.0.0; __utmt_UA-117405427-1=1; __utmb=122826463.5.10.1688733349
X-Forwarded-For: 1.1.1.1

Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymLZWar1odHH1fIF1
------WebKitFormBoundarymLZWar1odHH1fIF1 Content-Disposition: form-data; name="CaptchaCode" 
T1QW 
------WebKitFormBoundarymLZWar1odHH1fIF1 Content-Disposition: form-data; name="__RequestVerificationToken"

 The IRule that has been tested:

when HTTP_REQUEST {
if {([string tolower [HTTP::uri]] contains "/insertandpostcustomerticket") && ([string tolower (![HTTP::header exists "captchacode"]]) }
{ drop } }

Looking forward to hearing from you.

Regards,

Muhannad

Labels:
0 Kudos
8 REPLIES 8

Mohamed_Salah_
MVP
MVP

‎09-Jul-2023 02:14

Hello,

I think it is not working because you are looking for a header called "CaptchaCode" in the irule and this is a header's value not a header name.

0 Kudos

Muhannad
Cirrus
Cirrus
In response to Mohamed_Salah_

‎09-Jul-2023 03:08

Thanks Mohamed,

Is there anyway to match the header value in the IRule?

Regards,

Muhannad

0 Kudos

Mohamed_Salah_
MVP
MVP
In response to Muhannad

‎09-Jul-2023 08:36

Hello Muhannad,

Please find the below link to check for header's value:

https://community.f5.com/t5/technical-forum/using-if-http-header-value-content-type-contains-quot-te...

Thanks,

whisperer
Cumulonimbus
Cumulonimbus

‎09-Jul-2023 18:01

A few issues here:

- Your test URL /test/test1 does not match the HTTP uri comparison "/insertandpostcustomerticket" in the iRule.

- I don't see a CaptchaCode HTTP header in your test.

Once you fix the test, and we know exactly what you are trying to accomplish, and that in fact you are getting the right Headers from the client, then we can work on the iRule 🙂

0 Kudos

Muhannad
Cirrus
Cirrus
In response to whisperer

‎10-Jul-2023 00:14

Thanks for your response.

- Your test URL /test/test1 does not match the HTTP uri comparison "/insertandpostcustomerticket" in the iRule.

Sorry it is mistypo from my side, it is:

when HTTP_REQUEST {
if {([string tolower [HTTP::uri]] contains "/test1") && ([string tolower (![HTTP::header exists "captchacode"]]) }
{ drop } }

- I don't see a CaptchaCode HTTP header in your test:

It is not in the header, i think it is content value in the content-Disposition:

------WebKitFormBoundarymLZWar1odHH1fIF1 Content-Disposition: form-data; name="CaptchaCode"

Regards,

Muhnnad

 

 

0 Kudos

whisperer
Cumulonimbus
Cumulonimbus
In response to Muhannad

‎10-Jul-2023 05:20

@Muhannad wrote:

Thanks for your response.

- Your test URL /test/test1 does not match the HTTP uri comparison "/insertandpostcustomerticket" in the iRule.

Sorry it is mistypo from my side, it is:

when HTTP_REQUEST {
if {([string tolower [HTTP::uri]] contains "/test1") && ([string tolower (![HTTP::header exists "captchacode"]]) }
{ drop } }

- I don't see a CaptchaCode HTTP header in your test:

It is not in the header, i think it is content value in the content-Disposition:

------WebKitFormBoundarymLZWar1odHH1fIF1 Content-Disposition: form-data; name="CaptchaCode"

Regards,

Muhnnad

 

 

Thanks for the additional information. So you want to look into the Content-Type header. This should work I think for you:

when HTTP_REQUEST {
  if {([string tolower [HTTP::uri]] contains "/test1") && (!([HTTP::header "Content-Type"] contains "CaptchaCode"))} {
    drop
  }
}
0 Kudos

CA_Valli
MVP
MVP
In response to whisperer

‎11-Jul-2023 06:10 - edited ‎11-Jul-2023 06:18

I've been trying to reply but it doesn't accept my syntax -- posting empty message to be edited. 

[EDIT]
Since the request is multiparted, you won't see the name="CapthcaCode" in the HTTP Content-Type header, but in the first boundary instead. 

This means that iRule should account to inspect the name in the Content-Disposition header of each part (boundary) of the multipart request. This requires you to collect data! 

I've scripted some code below that should do the trick: 

 

when HTTP_REQUEST { 
  if {[HTTP::method] eq "POST" && [HTTP::path] eq "/test/test1" && [HTTP::header exist "Content-Type"]}{
    if { [string tolower [HTTP::header "Content-Type"]] starts_with "multipart/form-data" }{
      HTTP::collect 
    } else { return } 
  } 
} 
when HTTP_REQUEST_DATA { 
  set data [HTTP::payload] 
  if { $data contains "name=\"CaptchaCode\"" }{ 
    # log local0. "Legitimate request" 
    HTTP::release 
  } else { 
    drop 
  } 
}

 

For further reference, have a look at @nagi 's HTTP Multipart and Security Implications article, it's some good stuff.

0 Kudos

Muhannad
Cirrus
Cirrus
In response to CA_Valli

‎13-Jul-2023 00:29

Dear CA_Valli,

Thanks for the information, it is really appreciated.

I hadn't the chance to test yet coz this is a production enviorment and not easy to take approvals for testing, i will update you about the results once i got the approvals.

Regards,

Muhannad

Copyright © 2023 Khoros, LLC