AltocumulusHi ,
We have an issue after enabled X-forwarded-for in f5. Dev found a vulnerability thats users allowed able to put code injection by manipulating http headers.May I know if there is any irule to avoid header manipulation. The vulnerability issues are yet to come. i am guessing it could be Clickjacking issues
Any help would be appreciated.
CumulonimbusHi
Understood. So the iRule I send should do the trick. You could also do the same thing with an LTM Policy if you prefer.
With this iRule :
The if the external users goes through a proxy, of course, the client IP address will be the proxy IP, not the real client IP behind the proxy. Is that enough ?
If not, then you will need to allow the header and check it's value...
Yoann
CumulonimbusHi,
If this helped, can you please mark it as answer ?
Thanks
CumulonimbusHi
So if I understand correctly, you enable "Instert X-Forwarded-For" in the HTTP profile assigned to your VS, and you do not want the external users to be able to manipulate this header. Please correct me if not.
If this is the case, then you can just delete the X-Forwarded-For header received from the clients, and let F5 add the heder with the HTTP profile
when HTTP_REQUEST {
HTTP::header remove X-Forwarded-For
}The side effect of this is that you may not get the client real IP address.
Yoann
AltocumulusHi Yoann,
As per our design, we need to use SNAT.We should also want client IP shown for audit. Hence we enabled this X-forwarded-for header via http profile very recently.After that , we are seeing this vulnerability of code injection in the headers.