Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM - Block GET requests on a specific URL

Hello,

I'm trying hard to block GET request on a specific URL with the ASM module. This URL has to allow only POST request and I saw that GET / POST request are allowed by default in the methods section without ability to modify this behavior.

Do you have an idea how I could perform that ? (through ASM or an iRule ?)

Thanks a lot for your help.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

1 - Creating a new User-defined ASM violation

Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"

Sample Field Values (adjust as needed):
Name "VIOLATION_FORBIDDEN_GET_PATH"
Title "GET Request to a restricted path"
Type "Access Violation"
Severity "Alert"
Attack Type "Abuse of Functionality"
Description (leave empty)

2 - Go to Blocking Settings

Select Block for your new custom violation (or Alarm, if you want to transparently test)

3 - Creating an iRule

The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.

when HTTP_REQUEST {
  set reqBlock 0
  if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{
    set reqBlock 1
  }
}
when ASM_REQUEST_DONE {

  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_GET_PATH
  }
}
0
Comments on this Answer
Comment made 10-Dec-2015 by Stanislas Piron 10640
Hi, nice solution! Is it possible to check HTTP method and HTTP path in ASM_REQUEST_DONE event?
0
Comment made 10-Dec-2015 by Hannes Rapp 3890

Worth a try, but I'd expect a TCL error to occur. At least in case of 11.3, this was not possible. Perhaps a newer version already supports common HTTP_REQUEST functions to be called in ASM_REQUEST_DONE event.

0
Comment made 28-Dec-2016 by Bharat Merja

Hi, Used same context in my iRule as follow: But not able to get ASM_REQUEST_DONE event triggered.


when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] starts_with "/home/")}{ set reqBlock 1 log local0. "now reqBlock = $reqBlock" } }

when ASM_REQUEST_DONE { log local0. "ASM_REQUEST_DONE triggered" if { $reqBlock == 1 } { ASM::raise BLOCK_PATH_ACCESS log local0. "ASM have raised BLOCK_PATH_ACCESS" }

}

Don't know reason.. Have tried to use the same on 11.6.x and 12.1.1 same results. not able to get log "ASM_REQUEST_DONE triggered"

0
Comment made 28-Dec-2016 by Stanislas Piron 10640

Hi,

you must enable "Trigger ASM iRule events" on ASM policy 'Security / Policy / Your Policy / Advanced view)

0
Comment made 03-Jan-2017 by Bharat Merja

Hi,

Thanks a million, it works.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The "Allowed Methods" entity covers the policy as a whole. As far as I'm aware, no such granularity exists to have exceptions per Path, or per URI. This alone is a show-stopper, not to mention the hacks you need to implement to prohibit GET method in ASM. To achieve what you requested, your best bet is to use an iRule.

It would be the easiest solution to drop or reject a request in LTM. A slightly harder solution would be raising a user-defined violation that you define in ASM. This way your users will see the typical ASM blocking page in response. You will still need to use an iRule to raise the violation itself.

Let us know if any help with iRule is needed.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you for your answer !

I assume that with LTM the iRule will look at that :

Code 

 when HTTP_REQUEST {
    if {([HTTP::method] equals "GET") and ([HTTP::uri] equals "/mypath/index.aspx")}{
    drop
    }
 }

But, I'm new with the ASM module. I'm not sure how to implement the iRule to get an ASM blocking response page...

0
Comments on this Answer
Comment made 07-Dec-2015 by Hannes Rapp 3890
Sure, I've added a reference which shows you how to do the same with a custom violation.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks a lot ! I understand the iRule and the way you create the User-defined violation. It could be helpful for my next ASM deployment.

Currently, I don't understand why I don't see the ASM violation when I make a GET request on the URI. I'm making a troubleshooting on that. I didn't forget to enable the BLOCK mode for this new violation...

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

I'm trying to make this iRule work but I saw in stats that there is no execution for the ASM REQUEST part :

ASM_POST    Maquette    ASM_REQUEST_DONE    0   0   0
ASM_POST    Maquette    HTTP_REQUEST        78  0   0

What's wrong ?

Thank you for your help.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I can answer myself, after troubleshooting with several "log local0." in the iRule :)

Just the ASM part didn't work because I didn't enable the "Trigger ASM iRule Events" option in my ASM Policy --> https://devcentral.f5.com/questions/where-in-f5-asm-do-i-enable-the-trigger-asm-irule-event-setting

Thanks for your help.

See you soon.

0