Forum Discussion

Majda_Wazzan_18's avatar
Majda_Wazzan_18
Icon for Nimbostratus rankNimbostratus
Apr 29, 2015

ASM - how to protect a dynamic web pages

Hi 1. I face a problem with a dynamic pages since I have a website with an html editor then any user can add pages and upload files.

 

  1. This cause URL rewriting problem. This mean that I don't have just static URLs.

How to protect this pages and how to add them to the allowed URLs.

 

Thanks

 

6 Replies

  • Hi Majda, you can use wildcard URLs for the dynamic pages - find out what pattern these pages have (.e.f /content/page.blah) and create a wildcard URL in your policy based on this pattern.

     

    Hope this helps, Sam

     

  • Thanks samstep I'll explain more

     

    The members of the website uses the HTML editor to create new webpages, and they can upload files so I don't know what is the URL because it is generated automatically. for the wildcards: yes I use them for the static URLs

     

    Thanks for replying

     

  • Hi Majda, of course you would not see the actual URL as it can be anything, but there will always be a base URL you can use for a wildacrd.

     

    For example - have a look at the URL of this page - it is dynamic as well! You named your question "ASM - how to protect a dynamic web pages" and DevCentral has created a URL: https://devcentral.f5.com/questions/asm-how-to-protect-a-dynamic-web-pages which is a dynamic URL.

     

    However as you can wee the base URL is /questions/ so in ASM policy for DevCentral there is a WildCard URL: /questions/* - you can do the same in your policy.

     

    Sam

     

  • Hi samstep

     

    I try to access the following: https://devcentral.f5.com/questions/*

     

    and I got the following error message : The requested URL was rejected. Please consult with your administrator. Your support ID is: 18396158700765954698

     

    this mean that using * is not acceptable in these cases, because using this wildcard brings many security concerns.

     

    Thanks

     

  • Hi Majda, you clearly misunderstood the wildcard concept - these are not real URLs you can access in the browser, but in your ASM policy. "" when use din your F5 ASM policy means "any URL". When "" used in a URL you access with your browser it will not work - it is a disallowed meta-character and is rightfully blocked.

     

    It appears that you are lacking training in F5 ASM. I highly recommend that you take an F5 ASM training course to gain understanding about web applications and how to protect them from attacks using F5 ASM module. Information about F5 ASM training course is available here:

     

    https://f5.com/education/training/courses/configuring-big-ip-asm-v11-application-security-manager

     

  • Hi samstep, many thanks for your reply and for your recommendation I already take the training and understand the concept of the wildcard and web application but this is our first step in applying F5 on our website, because of this we have many concerns about using the wildcards.

     

    many thanks again