Forum Discussion
hooleylist
Dec 19, 2008Cirrostratus
You could use regsub to handle multiple slashes (regsub -all /+ [HTTP::uri] result), but there are quite a few other techniques attackers could use to obfuscate the URI to bypass any blacklist.
Another example is using backslashes instead of forward slashes. IE and IIS accept this. Attackers can also break up the URI using periods for current directory and previous directory:
http://www.microsoft.com/en/us/../us/default.aspx and http://www.microsoft.com/en/us/./default.aspx for http://www.microsoft.com/en/us/default.aspx
There are also different ways to encode the characters in the URI. Here is a PDF I found which describes these and other obfuscation methods (Click here)
Trying to handle every attack method in an iRule is going to be a losing battle. If you're able to use a whitelist you'd be in a much better position.
Aaron