Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM block requests with modified readonly attribute values

Is there a way to block requests whose form was tampered at client side so that a the value of a readonly html input element was set to a new value?

UPDATE:

We've a input field which has set the readonly attribute if the user is in a specific role, hence it's not editable for him but for users with a more privileged role it is possible to change that value.

<input type="text" name="display_active" maxlength="30" size="11" value="01.01.2017" readonly="readonly">

Sadly!!!, there's no further validation in place. We want to save the pain of implementing the missing validation layer for this quite old application. It would be a huge benefint to usif the ASM- module is able to validate the readonly attribute values against the corresponding value from the response. In case of a mismatch, the attacker has tamperd the inputfield and we want the ASM-module to generate an error.

Thanks, a bunch!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

cjunior is suggesting (i believe) to add that readonly variable and only allow it with the value "readonly".

but im not sure that is what you want, you want a double check, if the readonly=readonly then the value= can't be changed right?

if you require that double logic, so the value for one variable determines something of another variable then i don't believe that is possible.

0
Comments on this Answer
Comment made 07-Nov-2017 by schusb 64

Thx for your answer. According to your second paragraph we talk about the same issue. The last one for me is a bit confusing, because you are talking about variables. It is about the same readonly form parameter for which we want the asm module to check for illegal modifications of the value.


Examples:

1) Legal request:

value of read-only parameter "acitve" from response: "01.01.2017"
value of read-only parameter "active" in POST request: "01.01.2017"

2) Illegal request:

value of read-only parameter "acitve" from response: "01.01.2017"
value of read-only parameter "active" in POST request: "02.02.2017"

Actually the ASM-Module could do this whithout any paremeter definition, since a read-only parameter must never be changed at client side.

We don't have much experiences with iRules, but would it be possible to check read-only POST request-parameters against the value of the associated response?

0
Comment made 07-Nov-2017 by boneyard 5579

parameter / variable, for me sort of the same.

i don't believe a read-only parameter is that well a defined thing in HTTP.

irule would be probably easier indeed, the logic is more simple to built there.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, yes is possible. See about static and dynamic parameters implementations.

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/31.html

Basically, for static parameters you set a list of possible values and for dynamic parameters, you set a extraction to capture that parameters values.

Regards.

0
Comments on this Answer
Comment made 06-Nov-2017 by schusb 64

Hi, thx for your answer. I updated the question because I'm not sure whether this will solve our issue. I've a input field which has set the readonly attribute if the user is in a specific role, hence it's not editable for him but for users with a more privileged role it is possible to change that value.

<input type="text" name="display_active" maxlength="30" size="11" value="01.01.2017" readonly="readonly">

Sadly!!!, there's no further validation in place. We want to save the pain of implementing the missing validation layer for this quite old application. It would be a huge benefint to usif the ASM- module is able to validate the readonly attribute values against the corresponding value from the response. In case of a mismatch, the attacker has tamperd the inputfield and we want the ASM-module to generate an error.

Thanks, a bunch!

0