Forum Discussion

Altocumulus

Jan 03, 2020

irule to reject user defined headers

Hi , We have an issue after enabled X-forwarded-for in f5. Dev found a vulnerability thats users allowed able to put code injection by manipulating http headers.May I know if there is any irul...

Cumulonimbus

So if I understand correctly, you enable "Instert X-Forwarded-For" in the HTTP profile assigned to your VS, and you do not want the external users to be able to manipulate this header. Please correct me if not.

If this is the case, then you can just delete the X-Forwarded-For header received from the clients, and let F5 add the heder with the HTTP profile

when HTTP_REQUEST {
    HTTP::header remove X-Forwarded-For
}

The side effect of this is that you may not get the client real IP address.

Yoann

bjorg235

Altocumulus

Jan 03, 2020

Hi Yoann,

As per our design, we need to use SNAT.We should also want client IP shown for audit. Hence we enabled this X-forwarded-for header via http profile very recently.After that , we are seeing this vulnerability of code injection in the headers.

Forum Discussion

irule to reject user defined headers

Recent Discussions

Find GSLB pool membership from vip IP

Pool Members communication with B-party via F5 VIP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

Security headers

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

irule reject request when payload field is null

Log Http Headers