BIG-IP : variable value in case set fails
f5 BIG-IP LTM VE v11.4.0 on ESXi tcl does not have a concept of null nil undefined So what value do variables assume in the case where the set operation fails to retrieve a value ? set param1 [URI::query [HTTP::uri] param1 ] What is param1 value for case where "param1=xxx" not present in query-string ? set cookie1 [HTTP::cookie value "cookie1"] What's cookie1 value for case where request doesn't contain cookie "cookie1" ?
[ASM] Rise "Check maximum number of parameters" for specific applications parameters in ASM
Hello, In F5 BigBip, it is possible to increase the "maximum number of parameters" limit but this will apply to all application parameters. I would like to know if it was possible to increase the "maximum number of parameters" limit only for a specific list of application's parameters ? Cordially
WAF Attack Signature Level
Hi, I have a specific URL defined in the ASM Allowed URLs ("/path01/page.aspx" for our example), which has "Check attack signatures" checked. In the Parameters we have only Wildcard with Ignore Value set. We found this melicious attempt request wasn't detected: /path01/page.aspx?a=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&b=UNION+SELECT+ALL+FROM+information_schema+AND+%27+or+SLEEP%285%29+or+%27&c=..%2F..%2F..%2F..%2Fetc%2Fpasswd which decodes to this: /path01/page.aspx?a=<script>alert("XSS");</script>&b=UNION SELECT ALL FROM information_schema AND ' or SLEEP(5) or '&c=../../../../etc/passwd So I understand the melicious code is in the parameter context, so it's not checked due to the wildcard settings. But on the other hand, under the specific URL context, there are several "XSS (parameters)" signatures enabled. Doesn't that mean that under that specific URL it should check for XSS in parameters signatures? ThanksHow can I remove a query parameter from a URL?
I'm trying to remove a query parameter from a URL, and I'm stuck... Basically, I may have 0-n parameters appended to a querystring. They will all have a similar name, starting with "Context_", e.g. "Context_Site", "Context_Device_Type", "Context_Platform". My original plan was to remove the parameters using the following code (which I got from another question on this forum that I can no longer find.: when HTTP_REQUEST { if {[HTTP::query] contains "Context_"} { set newq "" Split query string into separate parameters foreach param [split HTTP::query] "&"] { Only add non-context query parms into newq if {!($param starts with "Context_")} { if {$newq eq ""} { append newq "?$param" } else { append newq "&$param" } } Add new query portion to path if {$newq ne ""} { HTTP::uri "[HTTP::path]$newq" } else { HTTP::uri [HTTP::path] } } } } The thing is, when I try to run this in Tcl for Windows (Tcl 8.5.8, Tk 8.5.8), I get an "invalid bareword" error for the "contains" in the second line: invalid bareword "contains" in expression "[HTTP::query] _@_contains "Context_..."; should be "$contains" or "{contains}" or "contains(...)" or ... I think the syntax is correct, so is this due to a problem with the version of Tcl I'm using? Also, on a related note (and I can ask this as a separate question if it makes sense), if I know that the Context_ parameter(s) will be the last parameter(s) in the URL, is there a better/faster way to remove them than to parse out the querystring into its individual parameters and check each one in turn? For instance, could I just search for the first instance of "&Context_"in HTTP::query and just strip out everything from that point on (also checking for HTTP:query starts with "Context_", I guess).
F5 ASM learning new parameters while being in blocking mode.
Hi, I have my ASM protecting many web applications. The problem is that some of the applications/websites, don´t have that much traffic, but some of the websites have a lot of Forms etc. Since the traffic is not to much, it didn´t learned all of the parameters of the website while it was on transparent mode, and even some of the parameters learned don´t have all the meta characters allowed. Question 1: If i disable the value meta character on the parameter itself, does it still block attacks like XSS, SQLi etc? Question 2: Is there a way to have my policies in block mode, but do not block new parameters that are added by developers as an example, and then accessed by users? Question 3: Do you guys keep the Wildcard * parameter in blocking state or leave it in staging ? Question 4: When policy is in automatic, i detected that if a parameter in the website that should allow alpha-numeric values, if it gets a lot of hits by users that just post numeric values ( lets say username) the policy change the parameter data type to integer itself, and after that if some user as a username that have letters in it, will get blocked. What is the better way to get over this. Manual (extensive work checking all the policies every day) or automatic ( some things stop working after some time so have to correct it mannually), or is there and alternative in the Learning and blocking settings that allow to loosen the policy keeping it secure and manageable?
irule to limit parameter and it's values on certain URL
Hi, I need help with an iRule for the following situation - This specific ASM policy has no URL limits (set to WC), but there is a certain URL that we need to have enabled only for the following situation - a single parameter with two values. I need to disable all other options for this URL - i.e., to disallow all other parameters and for that specific parameter to enable only these two values. I have a prepared ASM violation that I want to raise for this particular event. Any ideas? Thanks :-D VeredGTM to Splunk
Hi Everyone, We have a requirement where in we need to send GTM Logs/Statistics to our Splunk logging server. May we know what parameters can be pulled from the GTM Logs/Statistics that we can send to the Splunk? An example is which WIP uses the most bandwidth or the trend of the ISP Bandwidth usage to determine the time/day the peak is reached. our F5 DNS is running on 13.1.0.4 software version if possible, how can we implement this in our GTM and Splunk? Hope someone can give us an article. Thank you.
Mandatory parameter on a URL
I want to set up a URL parameter so that it is mandatory that the parameter get sent along with that URL. In looking at the parameter setup I don't see where to do that, but in the XML of the policy I do see a tag false and that would seem to be what I am looking for. I can just try and modify the XML directly but I would like to know how to do in the GUI as well.parameter being stripped
I have a rewrite rule in place that is working correctly however they are asking that the parameter be passed through as well which is making it through in the URL bar but not to the webpage that is looking for that parameter. It works fine going directly to the webserver so the F5 is stripping it somehow. Any thoughts would be much appreciated. http://mydomain.local/OA_HTML/thisisatestGenerate.jsp?test=123 https://mydomain.com/abc/thisisatestGenerate?test=123 Current iRule when HTTP_REQUEST { if { [HTTP::uri] starts_with "/abc/generate" } { HTTP::header replace Host "mydomain.local" HTTP::uri "/OA_HTML/thisisatestGenerate.jsp" } if { [HTTP::uri] starts_with "/abc/validate" } { HTTP::header replace Host "mydomain.local" HTTP::uri "/OA_HTML/thisisatestValidate.jsp" }