Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

ASM IRULE ILLEGAL REDIRECTION ATTEMPT

Hi

I have an application , which sends a location header for redirecting to another domain but the format isnt a usual one. It is as below

Location:itms-services://?action=download-manifest&url=https://abc.xxx/bn/sr/26TZqGJn2Fzk0IPnjU35ITJLnteoxxs5dvfyEPRXgD4npXC1Qi9WcrxYLY_7aGISEpA7ZUqkT7LENF23G5XRm_G65sZgioyNwDGO1SXwQIAQ2vSQJ4QjjzYy7UeyqMAZCfg2JQ8SOOCbi4QYoIuYKieEgNZjm7mFvFT8wsNOWLN5S_rhSmqC5PUNgQrXUH0jABrOyMIRzMnxQgfRtfajn7WQNIZpD_sAGHtMGY1IFaw

F5 ASM isnt able to understand the domain from this so it is blocking the traffic as an illegal redirection attempt.

Can i use the below irule to unblock the traffic based on the location header seen and violation attack type ?? If am using just http events then i would have called HTTP response event but here since ASM also is involved, will the below work ?

when ASM_REQUEST_VIOLATION {

if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]]contains "itms-services"}{

{ if { [ASM::violation attack_types] equals "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY"} { ASM::unblock }

}

}

0
Rate this Question
Comments on this Question
Comment made 06-Mar-2018 by draco 367

any one has any idea ? i tried the above, it didnt work. appreciate if anyone you could help

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Draco,

I'm not sure it's the best way to solve it. Is it off-the-shelf product you're using, or something developed in your company? I'd rather ask application devs to load the download element from an iFrame or similar, instead of issuing a full HTTP redirect. The main purpose of the Location header is to point to another HTTP resource. itms-services://?action=download-manifest&url is an alien resource for which a customer requires more than a web browser with default configuration to understand, probably a 3rd party browser plugin or other software is required.

As a temporary measure, just untick the "block" box for this violation in your WAF policy. If you have a reason to use an iRule with narrowed focus, please copy the exact violation from ASM log file at /var/log/asm

Rgds

0
Comments on this Answer
Comment made 06-Mar-2018 by draco 367

hi Hannes

Thanks a lot for taking the time to reply.

It is a MDM solution called kony. So any users in the organization will access a link via browser to download the kony mobile app. This is only for iphone users. The service in the location is a itunes service.So once the reponse is seen by the client , the client initiates the traffic via useragent as itunestore. Have temporarily unchecked the block box but since it is an externally accessed application, didnt want to uncheck illegal redirection attempt violation globally.So thought of using irule. but ASM event and HTTP event cant called together. I tried using HTTP::header Location under the ASM violation event , it gave as error that the http command is out of scope of the ASM event. So not sure, how to make f5 look at the location header for this traffic and see for that particular string.

0
Comment made 06-Mar-2018 by Hannes Rapp 3890

Ok, but why not. Check my answer about custom ASM violation with iRule triggering in thread below. In that scenario, I used HTTP_REQUEST event to check the value of HTTP path and request method, and then defined my own variable which was used as a reference point in ASM_REQUEST_DONE event. You can probably do the same if you check the value of Location header in HTTP_RESPONSE event. If there's a match, you can set your own variable, i.e. "set itsm_redirect_true 1" and call for unblock in ASM_REQUEST_VIOLATION event (don't forget your other conditions). Looks like you're already pretty close to a solution and it's just a matter segregating your code into correct events.

https://devcentral.f5.com/questions/asm-block-get-requests-on-a-specific-url

1
Comment made 06-Mar-2018 by draco 367

ohhhh yess, that should work.Thanks a lot for the help.Will try out similar irule!!

0
Comment made 08-Mar-2018 by draco 367

Heyy hannes

Am getting tcl error telling the variable which is mentioned under asm request done isnt known to it.

when HTTP_RESPONSE { set reqBlock 0 if {([HTTP::header is_redirect] && [string tolower [HTTP::header Location]]contains "itms-services" && [HTTP::status] == 302)}{ set reqBlock 1 log local0. "Location header value: [HTTP::header value Location] $reqBlock" } } this mmuch is working. But then as u did in the other irule , i call the $reqBlock under asm req done, its telling unrecognizable variable.i am using 12.1.2 version, is it related to that ?it should work if in that irule its working :/

0
Comment made 08-Mar-2018 by Hannes Rapp 3890

ASM_REQUEST_DONE event occurs before HTTP_RESPONSE event. During that event, any variables you set in HTTP_RESPONSE are still unknown. ASM_REQUEST_DONE works in combination with HTTP_REQUEST if you want to do blocking/unblocking based on HTTP request headers/parameters/payload. In your case, you determine your block/unblock action based on information found in server response (is it a redirect with specific information?)

Ref ASM iRule events: https://devcentral.f5.com/wiki/iRules.ASM.ashx

0
Comment made 11-Mar-2018 by draco 367

Ohh ok..i need to check in response the location header..,.thats why used the http response event..hmm yea what you saying is right...then i should find some other way..hmm..may b i should use asm response event ..

0
Comment made 11-Mar-2018 by Hannes Rapp 3890

ASM_RESPONSE_VIOLATION and HTTP_RESPONSE are the best candidates for this. Haven't tested, but odds are good that it will work.

0
Comment made 12-Mar-2018 by draco 367

Thanks hannes for your prompt response :). Ll be testing by tomorrow. I ll let you know how it goes.

0
Comment made 14-Mar-2018 by draco 367

hey hannes, both events are being triggered but the thing is i cant unblock ASM in the asm reponse event , so cant do much :(

when HTTP_RESPONSE {
set reqBlock 0
  if {([HTTP::header is_redirect] &&  [string tolower [HTTP::header Location]]contains "itms-services" && [HTTP::status] == 302)}{
    set reqBlock 1
    log local0. "Location header value: [HTTP::header value Location] $reqBlock"
  }
}
when ASM_RESPONSE_VIOLATION {
  log local0. "ASM_VIOLATION triggered"
  if { $reqBlock == 1 && [ASM::violation attack_types] equals "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY"} {
    log local0. "Violation: [ASM::violation attack_types]"
  }
}

above is getting triggered and logged..but since violation in response, i dnt think i can do anything much.

0
Comment made 14-Mar-2018 by Hannes Rapp 3890

This is intriguing. I'll power up my lab and give you a tested solution or workaround within 24h. Stay tuned

0
Comment made 14-Mar-2018 by draco 367

Really Kind of you to try and help...i ve ran out of any ideas that i could test, so will wait for your findings..thanks a lot..

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Image Text

some wild suggestion... disable asm if the location http header contains the value you are looking for.. via ltm policy..

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Investigated further. According to https://devcentral.f5.com/wiki/irules.asm__unblock.ashx, the ASM::unblock command has a much narrower scope than expected.

"The command applies to requests only. It is not possible to unblock a response in which violations were found"

This explains your test results. So we need another workaround. You can use the iRule posted below, or use the Local Traffic Policy posted by boggs. For performance reasons, Local Traffic Policy would be better. But due to risk of TCP connection re-use by malicious clients, you cannot safely use Local Traffic Policy that disables ASM for a particular HTTP response like that. You will also need to add a rule to your LTP that ensures TCP connection teardown because ASM enable-disable hopping within same TCP session is unreliable with LTP. Unfortunately, TCP close/teardown feature seems to be absent as of LTP in BigIP v12 and v13.

when HTTP_RESPONSE {

  # Location header can only exist in a server response in case of a redirect. Due to previous, we do not need to check for response code or use additional checks to determine if there is a redirect
  # Catch function supresses TCL error if the Location header is not found in server response - i.e. due to normal HTTP 200 response
  # For the If-check, I used "starts_with" instead of "contains" for a small performance gain

  if { [catch { [string tolower [HTTP::header Location]] starts_with "itms-services" } ] } {
    log local0. "Location header value: [HTTP::header value Location]. ASM disabled for this particular response."

    # Behavior notice: ASM//disable function persists to entire TCP connection
    ASM::disable
    # HTTP//close command in this event adds 'Connection:Close' HTTP header (or modifies existing header to 'Close' value) to instruct client browser that it must close the underlying TCP connection upon receiving this reply
    HTTP::close
    # TCP//close command tears down the TCP connection in BigIP so naughty clients who intentionally ignore Connection Close header will not be able to reuse this WAF-less TCP connection for more requests
    TCP::close
  }
}
0
Comments on this Answer
Comment made 18-Mar-2018 by draco 367

Have never done with ltp...thanks boggs and hannes ...learnt quite some stuffs with this issue ..thanks a lot for responding ...ve tried the above..ll be putting and testing in prod and ll see.. :)

0