26-Aug-2021 21:30
Hello Mates,
I am glad to be part of such a great community. From my last question’s response, I have learnt few new things. Today also, I have one query!
Few of our hosted URLs are affected with host header injection vulnerability. Now I know it can be easily mitigate using WAF. But few of our F5 nodes have only LTM module. Is there any way to mitigate this vulnerability on LTM module?
Solved! Go to Solution.
26-Aug-2021
21:37
- last edited on
04-Jun-2023
19:19
by
JimmyPackets
Hi ,
Yes you can mitigate it (or restrict access to URLs using allowed domains ) using iRules also where you will allow request coming for specific domain/URL only. Below is the sample iRule where it is allowing all the requests coming for *.abc.com and *.xyz.com domains.
Now here you can mentioned specific FQDNs as well e.g. mysite.abc.com or mysite.xyz.com. So its upto you how do you want to have your iRule. Additionally I have added statements to log the requests. This will give you visibility to the dropped requests as well.
when HTTP_REQUEST {
if {([HTTP::host] contains "abc.com") ||
([HTTP::host] contains "xyz.com")
} {
log local0. "Allowed Hostname:[HTTP::host]"
} else {
drop
log local0. "“Invalid hostname: [HTTP::host]"
}
}
Hope it helps!
26-Aug-2021
21:37
- last edited on
04-Jun-2023
19:19
by
JimmyPackets
Hi ,
Yes you can mitigate it (or restrict access to URLs using allowed domains ) using iRules also where you will allow request coming for specific domain/URL only. Below is the sample iRule where it is allowing all the requests coming for *.abc.com and *.xyz.com domains.
Now here you can mentioned specific FQDNs as well e.g. mysite.abc.com or mysite.xyz.com. So its upto you how do you want to have your iRule. Additionally I have added statements to log the requests. This will give you visibility to the dropped requests as well.
when HTTP_REQUEST {
if {([HTTP::host] contains "abc.com") ||
([HTTP::host] contains "xyz.com")
} {
log local0. "Allowed Hostname:[HTTP::host]"
} else {
drop
log local0. "“Invalid hostname: [HTTP::host]"
}
}
Hope it helps!
26-Aug-2021 22:21
I really appreciate your quick response on this. I will try this irule under my test environment and update you. Just one query, where will the logged requests available to verify?
26-Aug-2021 22:57
You should see logged hostnames at path - /var/log under ltm files.
27-Aug-2021 02:54
I tested the irule functionality in my test environment and it’s working as expected. It allows only request coming for specified domain. Thanks Mate for your help here! Appreciate it
08-Dec-2021 23:27
Hi, Above iRule worked as expected under LAB setup. Now when I am trying same on our prod environment for one of the site, its not working. Nothing is available under logs also. Can you please help what could be the issue?
08-Dec-2021
23:55
- last edited on
24-Mar-2022
01:20
by
li-migration
Hey ,
Can you please confirm if above said prod url is hosted on secure port? and if yes, is SSL terminated on the F5 for this?
09-Dec-2021 01:08
Aah, i got your point. I will verify current ssl configuration on virtual server and update you.
09-Dec-2021 04:04
I got your point mayur. Unless SSL is terminated on the F5 virtual server, F5 can’t understand the request as it will be encrypted. And so the reason its not working for our prod site as SSL is not managed on F5. Thanks for pointing out that query which actually solved my problem.
09-Dec-2021
04:28
- last edited on
24-Mar-2022
01:20
by
li-migration
,
That's what I was expecting here. You got it right ! Cheers..