Forum Discussion

tub91's avatar
tub91
Icon for Cirrus rankCirrus
Jan 09, 2023
Solved

WAF - Allow uploads of only files with certain extensions and block all other file uploads

Hi team,

We need to make some blocks with our WAF on ASM because this block cannot be made on the application side.

We have two web pages on the Internet that allow our customers to fill out a web form and upload some attachments.

Attachment upload is not a mandatory field.

The only file extensions we would like to allow are the following: .jpg,.jpeg,.tiff,.tif,.pdf,.doc,.docx,.xls,.xlsx,.csv

For all other possible extensions we would like the WAF to block the POST call

We initially tried following this article: https://support.f5.com/csp/article/K69153854
This article did not allow us to solve our problem because with the File Types we understood that we can only block requests to certain file types but not prevent their upload


With this article (https://support.f5.com/csp/article/K64356849) we have seen that it is possible to block files containing binary executable content but it would not allow us to block for example the .txt extension

We also tried this article (https://support.f5.com/csp/article/K78925560) but it didn't work. It appears that this feature applies up to version 13.x. Our version is 15.1.5.1

How can we proceed to block the upload of files with disallowed extensions?

Also, would ASM be able to detect the real extension of a file? For example, if I create a file "test.txt" (which needs to be locked) and change the extension to "test.pdf" what would happen? Will the file be locked or not?

Below is a portion of the POST call used to upload files

 

POST /URI/ HTTP/1.1
Host: xxx.xxx.xxx
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://xxx.xxx.xxx/URI
Content-Type: multipart/form-data; boundary=---------------------------324342428322538423523377594017
Content-Length: 3763
Origin: https://xxx.xxx.xxx
Connection: keep-alive
Cookie: 
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-Forwarded-For: 

-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Nome"

mario
-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Email"

mmtest@test.it
-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Allegati_0"; filename="test.txt"
Content-Type: text/plain

-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Allegati_0_val"


-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Allegati_1"; filename=""
Content-Type: application/octet-stream


-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="Allegati_1_val"

-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="btnNext"

Conferma
-----------------------------324342428322538423523377594017
Content-Disposition: form-data; name="HaveDatat1"

1
-----------------------------324342428322538423523377594017--

Thanks

  • Hi tub91 , 
    Just to add somthing : 
    > let all learnt filetypes as it is , and do not delete them even if they are in a wildcard form or even specific filetypes for your application , this is for the stability of your application at all and this restriction should be applied on parameter level. 

    > Another point : 
    you should define 2 parameter in this ASM policy , Parameter with data type "file upload" and the other with "Alpha Numeric ". 
    Let me explain more : 
    you should have a parameter_1 needs to upload file on it’s like a container and this parameter should use (Data type = File upload) , and the other parameter should be triggered when you click "Button upload" let we call it Parameter_2 and you should define this parameter as ( an Alpha Numeric Data type ) With the Regular expression (ReGex) that I sent in the last reply. 

    Please check the below snap shots from my Lab : 

    - you can see " choose file Button " which defined as " filename " parameter in F5 ASM learning suggestions , and "select the image you want to uplaod" which defined as "userfile" Parameter in F5 Learning suggestion. 
    In " Filename " I should create it as ( type = user input value parameter , Data type = Alpha numeric , and add the Regex that I send before in last reply ) . 

    In "userfile" I should create it ( type = user input value , Data type = File upload ) 

    > I hope this helps you. 

     

5 Replies

  • Hi tub91 , 
    > When you added these "  .jpg,.jpeg,.tiff,.tif,.pdf,.doc,.docx,.xls,.xlsx,.csv " as allowed file types , did you removed Wildcard "*" entity from filetype configuration page. 
    Also make sure to enforce your allowed entities after removing "wildcard". 
    After that go to " Learning and blocking settings "

    and  choose filetypes and put a check mark in block box beside " illegal file type " 

    - Any request contains other file type instead of these "  .jpg,.jpeg,.tiff,.tif,.pdf,.doc,.docx,.xls,.xlsx,.csv " should be blocked. 

    > you asked about "test.txt" and "test.pdf" 
    - "test.txt" will be blocked because you did not define ".txt" as allowed filetype entity.

    - "test.pdf" will be allowed because you defined ".pdf" entity in allowed filetype entities. 

    • tub91's avatar
      tub91
      Icon for Cirrus rankCirrus

      Hi Mohamed_Ahmed_Kansoh 

      We have performed all the steps you indicated but we have not clicked on "enforce" after the removal of the wildcard, we have only saved and applied the policy.

      After this change, however, it was not possible to load any page of the site because all the files loaded within the page were seen as FileType Illegal.

      We therefore hypothesized that the FileTypes in that configuration can only be used to select which TypeFiles can be accessed on the website (the problem is that this impacts both GET calls and therefore download calls and POST calls for uploads)

      • tub91 , 
        Okay , 
        I suggest to identify the Parameter which you are using to upload files , and create it as an explicit parameter and use Regular Expression to restrict filetypes uploads only with this parameter : 

         

        Use this Regular expression , I hope it works well :

        (?i)\.(pdf|doc|csv|xls|xlsx|jpg|jpeg|tiff|tif|csv|docx)

         > you should delete all filetypes you have created before , and enforce the new parameter 
        ant try to test , 
        do not forget to check mark block box in illiegal parameter and illegal  parameter numeric value and so on. 
        you can check all of " Alarm" Check boxes regarding " Parameters settings " to see which setting match your condition when violating the new parameter. 

        > I do not understand what you mean with GET and POST , my configuration are far from http methods.