F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Dave_Pisarek's avatar
Dave_Pisarek
Icon for Cirrus rankCirrus
May 19, 2021

XFF and sleep

Recently I was asked about mitigating the below XFF header:   X-Forwarded-For: (select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/   ...
ASM Advanced WAF
BIG-IP
security
JRahm's avatar
JRahm
Icon for Admin rankAdmin
May 24, 2021

If you don't have ASM/Advanced WAF and would like to do this in an iRule, you could do a check to make sure the value(s) are at least numeric and then act accordingly on finding something else. For example:

% set x (select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
% foreach ip $x {
  if { [string is integer [lindex [split $ip "."] 0]] } {
    puts "header ok"
  } else { puts "header not ok" }
 
 
}
header not ok
% set x 1.2.3.4
1.2.3.4
% foreach ip $x {
  if { [string is integer [lindex [split $ip "."] 0]] } {
    puts "header ok"
  } else { puts "header not ok" }
 
 
}
header ok

Note that this is very rudimentary to show what's possible. If you want to verify actual valid IP addresses in the header, far more logic is required.