xss attack

Question

Hello, 
&nbsp; we need to take out the "script" or

hooleylist · Answer

You can try to filter the URI using an iRule, but an attacker will be able to obfuscate their attack using many encoding schemes that the web server will probably parse and you won't be able to track in an iRule.  An attacker could probably also send the malicious strings in the payload in POST requests.  It would be very difficult to handle these scenarios in an iRule and still support typical production levels of traffic. 
  
 If you want to check if the decoded URI contains "script", you could use something like this (from Joe's Codeshare example Click here😞

when HTTP_REQUEST { 
  
     URI decode the URI 
    set tmpUri [HTTP::uri] 
    set uri [URI::decode $tmpUri] 
  
     repeat decoding until the decoded version equals the previous value. 
    while { $uri ne $tmpUri } { 
       set tmpUri $uri 
       set uri [URI::decode $tmpUri] 
    } 
    if {[string tolower $uri] contains "script"]}{ 
  
        Found script in the decoded URI.  Do something? 
       HTTP::respond 404 
    } 
 }

Aaron

hooleylist · Answer

I should add that the best way to handle this efficiently and securely is to use a web app firewall and fix the application code.  Trying to use an iRule to implement HTTP security is not going to be both efficient and complete. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

xss attack

2 Replies

Recent Discussions

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

Related Content

The HTTP/2 CONTINUATION frame attack

Cross Site Scripting (XSS) Exploit Paths

OWASP Mitigation Strategies Part 2: XSS Attacks

ESRP Strategies: DNS Water Torture Attack

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security