Open Redirection Mitigation
hello, ASM has a feature to mitigate the open redirection attacks when the redirect happens at the header level (i.e: with Location in response). When the redirection is within the payload response, the ASM does not block it. do you guys know about any ASM configuration that may address this issue and mitigate this kind of attack ? thanks. o.Solved115Views0likes6CommentsHow to modify information in "meta http-equiv content" section in (response?) header?
Hi everyone. Thank you for taking time to read this post. I am writing this as a Question as the former thread seems to have dropped off the radar. Basic issue: when a workstation uses a web browser to go to https://psc.company.com, they are receiving back https://backendnode1.company.com in the web browser URL field. We want this to show as "psc" instead of "backendnode1." Sounds like a simple case of an iRule. This hasn't worked (yet); tried a few dozen variations. Reference previous discussion: https://devcentral.f5.com/questions/assistance-requested-with-https-response-redirect-vmware-platform-services-controller-48157comment33993 What follows is some simple troubleshooting and the results. I would appreciate your help in understanding those results and how to modify them (likely using a specific iRule). For brevity and clarity, the actual directory structure listed below is being abbreviated as /tmp. Executed the following command in order to see what was going on under the hood: curl [https://psc.company.com](https://psc.company.com) --anyauth --cookie-jar /tmp/psc_cookies.txt --dump-header /tmp/psc_headerdump.txt --cacert /tmp/ca.crt --output /tmp/pscout.txt --trace /tmp/psc_trace.txt The contents of pscout.txt: 1) Am I correct that it is the HTTP_RESPONSE that includes the information depicted by pscout.txt? 2) The "backendnode1" information is not in the Body of the response. It is my understanding that this means that a STREAM profile will not help. Correct? 3) How can the “meta http-equid content” information be modified using an iRule? Would anyone please provide sample code for this function? Thank you for any and all input. John K. Weaver Note: With help from F5, access policy manager was used to resolve the issue, but the resulting "GUID" in the output is undesirable (instead of https://psc.company.com/websso, the output is something like https://psc.company.com/f5-thisisaverylongstringofgarbledinformation-muchlongerthanthis$$/websso). As such, we are going back to seeking a resolution without the use of APM.508Views0likes1CommentIrule modify host, uri on response
Hello, The scenario is that we have url that needs to be translated to another url. So this needs to be done at the request. And for the response the url needs to be translated back to its original url. For the request this works and this is how we have done this. when HTTP_REQUEST { if { ([HTTP::host] equals "test.domain.be") } { set uris [HTTP::uri] set newuri "/test[string range [string tolower [HTTP::uri]] 0 end]" HTTP::uri $newuri HTTP::host "test.newdomain.be" } } So the user gives in a url. for example: test.domain.be/abc. We translate this into: test.newdomain.be/test/abc. So there is uri and host translation. How can we do this for the response? So everything what we did here but then in reverse?460Views0likes1CommentUnable to consistently send resets with irule using documented methods
I need to create an irule that looks for the string "error" in the HTTP response, and if it is found sends a reset back to the client rather than the response with "error" that was analyzed by the F5. Based on the irule documentation I thought it would work using the -reset flag during an http::respond, but despite our f5 version supposedly supporting it an error appears in the LTM log when the -reset flag is set and it does not function properly. When I used reject, it does sometimes send a reset as the response, but not always as expected. I can confirm that the if statements are being utilized do to the log entries, but non of the documented irule solutions to send a reset seem to work as described in the documentation. Also, now with this redesign of devcentral, it is significantly more difficult to use this site and find any relevant info or documentation about the topic. Does anyone know of a way to consistently get this reset to be sent when "error" is found in the response? Unrelated, but I also found that there is a limit of the amount you are able to post in devcentral questions, however it does not limit you from entering as much as you want in the question text field and the error you get is just a generic "please contact sysadmin error" so you have to figure that out yourself; seems like a lot about this site is broken, particularly after the new redesign.382Views0likes2CommentsAny experience with ASM policy affecting response stream (with no vulnerability/attack signature noted)?
Env: LTM 11.5.2, physical appliance (4200), no resource issues We are experiencing cases where the presence of an ASM security policy is affecting the response to clients, even though the event log shows the access involved as successful, with no attack signatures/violations noted, and even though the response log shows the response content body being sent back. It is demonstrably the security policy that's the cause, though - when the policy is removed from the virtual server, the issue goes away, and vice versa. Casting a wide net - has anyone experienced anything similar, and what was the cause? Any tips on how to debug this (other than the obvious tcpdump capture, which we are pursuing)? Any hypotheses on a possible cause? If it helps, it may be related to the size of the response - there's a loose association, with bigger responses triggering it more often, we think. (problem with chunked encoding? Hmm, may try a re-encode strategy) Any thoughts appreciated, thx!512Views0likes2CommentsASM - URL learning from responses
Hi, Maybe it is obvious for ASM pros but I was a bit surprised that ASM is presenting suggestions based on html content of the response - at least it looks like that from my tests. What I can't understand is logic used here (tested on 13.1.0.7, Comprehensive, manual learning, wildcard URL in staging defined) Request from trusted source send GET /errors/ There is no default file here so listing of directory content returned to browser. In response body all files are specified via . Code for every file is exactly the same. Results in Traffic Learning: Suggestions created for all actual request URL as well as for all file related URLs in response body - except one. There is nothing special in code for this file - so why it is not listed at all? It's not first209Views0likes0CommentsASM - URL learning from responses
Hi, Maybe it is obvious for ASM pros but I was a bit surprised that ASM is presenting suggestions based on html content of the response - at least it looks like that from my tests. What I can't understand is logic used here (tested on 13.1.0.7, Comprehensive, manual learning, wildcard URL in staging defined) Request from trusted source send GET /errors/ There is no default file here so listing of directory content returned to browser. In response body all files are specified via . Code for every file is exactly the same. Results in Traffic Learning: Suggestions created for all actual request URL as well as for all file related URLs in response body - except one. There is nothing special in code for this file - so why it is not listed at all? It's not first388Views0likes0CommentsHSTS for Custom Response page
Hi, I have HSTS enabled on a number of sites via an iRule(I have also tried on the http profile) however I have noticed that when the custom response page is tried in ASM the page does not have the HSTS header in the response. I understand that the F5 inserts the hsts information on the response from the server as it passes through the F5 back to the client but in this case the request never makes it to the server, but it does make it to the F5. The F5 blocks the requests for any number of reasons defined in the policy and responds with the custom response page. While I do see the HSTS header when browsing the site, I do not see the HSTS header when the custom response page is served. Is it possible to enable HSTS for the custom response page? One of our apps requires a number of parameters to be passed to it in order to load. If a user browses directly to the domain the custom response is served. As a result ssllabs scans do not detect HSTS.406Views0likes2CommentsCan I direct the ASM Violation Response to an API instead of direct to the Client?
Using either the ASM response pages or an iRule, is it possible to direct the response from the F5 to an API of my choice rather than replying directly to the client? This would allow the Dev to work with the response and serve the client crafted content. Thank you238Views0likes1CommentUsing an iRule to respond with a 500 Internal Server Error message
Hi, We have a customer error page setup to serve a nice neat error page when various violations are triggered however the JSON applications don't like this as they are not expecting html. What I would like to do is implement an iRule based on any identifiable data such as a header, to respond with a 500 error. For the moment I am just working on the main idea of serving the 500 rather than the custom error however what I have is not working. If someone can review what I have below and let me know why this is ignored and the custom error continues to load, that would be awesome. Thank you. when HTTP_RESPONSE { if {[HTTP::header value Connection] contains "close"}{ HTTP::respond 500 content "Internal Server Error" } }867Views0likes9Comments