remove request content/body on ASM_REQUEST_VIOLATION

Question

Hi,&nbsp;
&nbsp;Our goal is to allow the webapplications to serve up blocking pages (this is due to pages varying based on location within the same webapp).&nbsp;
&nbsp;The only way we've currently been able to manipulate the  request appropriately is to place the WAF into passthrough mode and detect ASM violations.&nbsp;
&nbsp;As the request is passed through, the original request (which should have been blocked in the WAF was in blocking mode) is served to the underlying webapplications.&nbsp;
&nbsp;In order to limit security risks, we intend on cleansing the incoming request by removing headers, querystrings and submitted content.&nbsp;
&nbsp;The bellow iRule achieves most of this, but we have been unable to find a way to strip out the content/body of the incoming request.&nbsp;
&nbsp;Is there any way of stripping out this content?&nbsp;&nbsp;&nbsp;Basic sanitizing iRule&nbsp;
&nbsp;when ASM_REQUEST_VIOLATION {&nbsp;
&nbsp;   HTTP::header sanitize "host"
&nbsp;   HTTP::header insert "ASM-VIOLATION-ID [lindex [ASM::violation_data] 1]"
&nbsp;   HTTP::header replace "connection" "close"&nbsp;&nbsp;
&nbsp;   HTTP::uri [HTTP::path]&nbsp;
&nbsp;}

hooleylist · Answer

You should be able to replace the payload with nothing using ASM::payload: 
&nbsp;  
&nbsp;  http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__payload.html 
&nbsp; ASM::payload replace 0 [ASM::payload length] "" 
&nbsp;  
&nbsp; Also be aware that HTTP::header sanitize won't remove all headers--it leaves these: 
&nbsp;  
&nbsp; Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding 
&nbsp;  
&nbsp;  
&nbsp; HTTP::header sanitize [header name]+ 
&nbsp;  
&nbsp;     * Removes all headers except the ones you specify and the following: Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding. 
&nbsp;     * Note that the Host header (required by HTTP/1.1) is removed unless explicitly specified. 
&nbsp;     * This command can be used in the client-side or server-side context, depending on whether you want to sanitize request and/or response headers. 
&nbsp;     * If you are using the command in the server-side context, you may want to consider adding Location to the list of retained headers if your application requires they be sent to clients. 
&nbsp;     * If you are using the command in the client-side context, you may want to consider adding Cookie, Accept, and Accept-Encoding to the list of retained headers. 
&nbsp;  
&nbsp;  
&nbsp; Aaron

wscott_99092 · Answer

Thanks Aaron, 
&nbsp;  
&nbsp; I had tried HTTP::payload but that seemed to only be able to append stuff at the beginning of the request body/content. I had assumed ASM::payload was for manipulating the response data (which is seems to do in ASM_REQUEST_BLOCKING). 
&nbsp;  
&nbsp; I did have additional steps to remove some of the headers mentioned, but left it out to simplify the request.

Forum Discussion

remove request content/body on ASM_REQUEST_VIOLATION

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Logging DNS Requests

Distributed caching of authentication requests with NGINX Ingress Controller

HTTP Request Smuggling, what it is, how to find it and how to stop it

Using Client Subnet in DNS Requests

Node.js HTTP Message Body: Transfer-Encoding and Content-Length in LineRate lrs/virtualServer Module