Parse POST parameters

Question

Hi,&nbsp;
&nbsp;i'm trying to do Security iRules for my webmail application : iNotes.
&nbsp;This Webmail uses a lot of POST requests to send parameters. Using HTTP Analyzer, I can see that requests are as this :&nbsp;
&nbsp;-----------------------------7d81f87640cf4
&nbsp;Content-Disposition: form-data; name="%%ModDate"
&nbsp;-----------------------------7d81f87640cf4
&nbsp;Content-Disposition: form-data; name="%%PostCharset"
&nbsp;ISO-8859-1
&nbsp;-----------------------------7d81f87640cf4
&nbsp;Content-Disposition: form-data; name="h_SceneContext"
&nbsp;putAway['publishAction']&amp;&amp;&amp;&amp;&amp;&amp;putAway['publishFolderTitle']&amp;&amp;&amp;&amp;&amp;&amp;putAway['ME']&amp;&amp;&amp;&amp;&amp;&amp;putAway['publishFolderPageUnid']&amp;&amp;&amp;&amp;&amp;&amp;putAway['tocPosition']&amp;&amp;&amp;&amp;&amp;&amp;putAway['tmpText']&amp;&amp;&amp;&amp;&amp;&amp;putAway['selectedFolderIndex']&amp;&amp;&amp;0&amp;&amp;&amp;putAway['BSi']&amp;&amp;&amp;&amp;&amp;&amp;
&nbsp;-----------------------------7d81f87640cf4
&nbsp;Content-Disposition: form-data; name="h_EditAction"
&nbsp;h_Next
&nbsp;-----------------------------7d81f87640cf4
&nbsp;Content-Disposition: form-data; name="h_SetEditCurrentScene"
&nbsp;s_StdPageEdit
&nbsp;[...]&nbsp;
&nbsp;I'd like to be able to get each parameter to verify that there is no problem with size, specifics characters, ...
&nbsp;The iRule I'm using to do this :
&nbsp;rule Security-Limit_Parameters_Size-Rule {
&nbsp;when RULE_INIT {
&nbsp;   set ::debug 1
&nbsp;   set ::max_post_param_length 500 
&nbsp;}
&nbsp;when HTTP_REQUEST {
&nbsp;   switch [HTTP::method] {
&nbsp;      "GET" {
&nbsp;      }
&nbsp;      "POST" {
&nbsp;         HTTP::collect [HTTP::header Content-Length]
&nbsp;      }
&nbsp;   }
&nbsp;}
&nbsp;when HTTP_REQUEST_DATA {
&nbsp;   set ::parametersList [split [HTTP::payload] "&amp;"]
&nbsp;   for {set ::i 0} {$::i &lt; [llength $::parametersList]} {incr ::i} {
&nbsp;      set ::parameter [split [lindex $::parametersList $::i] "="]
&nbsp;log local0. "Parameter : [lindex $::parameter 0]
&nbsp;      if { [string length [lindex $::parameter 1]] &gt; $::max_post_param_length } {
&nbsp;         if { $::debug } {
&nbsp;            log local0. "Triggered by IP : [IP::client_addr] with URI [HTTP::uri] and parameter length : [string length [lindex $::parameter 1]]"
&nbsp;         }
&nbsp;         reject
&nbsp;      }
&nbsp;   }
&nbsp;}
&nbsp;}&nbsp;
&nbsp;It seems that this iRules is not working since I can't see the complete lists of the parameters. Is there a way to do this on a content-type which is not "x-www-form-urlencoded" ?&nbsp;
&nbsp;Thanks for your help.
&nbsp;Regards,
&nbsp;-- Alexis

hooleylist · Answer

Hi,&nbsp;
&nbsp;The first thing I notice is that you're using global variables to save the values.  Global variables are shared across multiple connections which would cause trampling.  You can change them to local variables by removing the ::.  Second, if the client is sending un-encoded &amp;'s in the parameter value, you won't be able to split the parameters based on the &amp; as a delimiter.  You might be able to split them if you parse the boundary from the Content-Type header and then break up the chunks of data to get just the parameter value.  I would imagine it would be a complicate rule and take a lot of CPU and memory to perform the validation.&nbsp;
&nbsp;Even if you're able to parse the parameter values, I think you're going to have a hard time coming up with a comprehensive validation methodology using just iRules.  You might consider F5's application firewall, ASM.  With it, you can validate all the input a user sends in requests and the application's responses.  This includes the request method, headers, query string and post data parameters and server responses.  You get much more granular control if you need it, but can still set reasonable defaults.  Also, the parsing and decoding is handled for you.&nbsp;
&nbsp;If you do continue with the iRule approach, reply if you run into more problems or make progress.&nbsp;
&nbsp;Aaron

hooleylist · Answer

There is a length limit on the size of a message which can be sent to syslog, so that's probably why you're seeing the payload truncated when using the log command.  You should be able to test the parameter parsing just using the first 100 bytes of the payload, anyhow.  I'll see about testing some of the parameter parsing, but I'm not sure when exactly I'll have time.&nbsp;
&nbsp;Aaron

Forum Discussion

Parse POST parameters

2 Replies

Recent Discussions

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Related Content

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python

F5 ADC - url rewrite redirect with parsing

Brute Force protection for single parameter like OTP

HTTP auth - Calling external API with parameters

Wildcard Parameter signature attack