Forum Discussion

Nimbostratus

Dec 16, 2008

Irule for restriciting URL paths unsecure

I currenlty use an irule that I use to restrict traffic to certain paths:- when HTTP_REQUEST { if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([ma...

Cirrostratus

Dec 19, 2008

You could use regsub to handle multiple slashes (regsub -all /+ [HTTP::uri] result), but there are quite a few other techniques attackers could use to obfuscate the URI to bypass any blacklist.

Another example is using backslashes instead of forward slashes. IE and IIS accept this. Attackers can also break up the URI using periods for current directory and previous directory:

http://www.microsoft.com/en/us/../us/default.aspx and http://www.microsoft.com/en/us/./default.aspx for http://www.microsoft.com/en/us/default.aspx

There are also different ways to encode the characters in the URI. Here is a PDF I found which describes these and other obfuscation methods (Click here)

Trying to handle every attack method in an iRule is going to be a losing battle. If you're able to use a whitelist you'd be in a much better position.

Aaron

Forum Discussion

Irule for restriciting URL paths unsecure

Recent Discussions

GCP F5 deployment - Active -Active with config Sync

Deleting Old Certs

BUG Query

GSLB - Monitoring LTM VIP load balancing via iRule

Hybrid Exchange traffic and Starttls

Related Content

serverssl-insecure-compatible for unsecure ports

iRULE regsub error

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect