Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Irule for blocking http smuggling

Hello,
Would anyone have an Irule config or template that can block "HTTP request smuggling" or HRS...or possibly forward me if the direction to create one for an ltm running 9x code?

thanks
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi,


http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=57134&view=topic

is there a way to modify that script with an "and" statement to scan the incoming headers and detect (1) if there are multiple Content-Length headers, or (2) if a Content-Length header does not have a length specified?


Sure, you can use '[HTTP::header count "Content-Length"] and [HTTP::header value "Content-Length"] for this.

 
when HTTP_REQUEST {

# Check if there is more than one Content-Length header
if {[HTTP::header count "Content-Length"] > 1}{

# Reset the connection
reject

# Stop processing this event in this iRule
return
}

# If the rule is still running, check if the Content-Length header exists and has a value less than or equal to 0
if {[HTTP::header exists "Content-Length"] && [HTTP::header value Content-Length"] <= 0}{

# Reset the connection
reject
}
}


Note that IE sets a content-length header with a value of 0 when performing NTLM authentication, so this iRule could incorrectly reset valid requests. Make sure to test it before using it .

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Is this approach valid for versions prior to 9.4.0? The HTTP_header page in the wiki implies that multiple instances of a named header only get counted more than once in 9.4.0 and above.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Sorry, I didn't realize the HTTP::header count behavior changed in 9.4.0. I thought it worked as expected in older versions. Can you try testing this to check if it doesn't return 2 for two of the same headers?

You can use curl to send a request with two header names:

$ curl -v -H "Header1: value1" -H "Header1: value2" google.com
* About to connect() to google.com port 80 (#0)
* Trying 74.125.67.100... connected
* Connected to google.com (74.125.67.100) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.16.3 (i686-pc-cygwin) libcurl/7.16.3 OpenSSL/0.9.8k zlib/1.2.3 libssh2/0.15-CVS
> Host: google.com
> Accept: */*
> Header1: value1
> Header1: value2

You could also use a Firefox browser plugin like TamperData to test this.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks Arron, let me give that a try today in the lab.

Chris
0