Forum Discussion

dakritt_315479's avatar
dakritt_315479
Icon for Nimbostratus rankNimbostratus
Apr 06, 2018

ASM disallowed url and wildcard

Hello community!

 

I'm working on an asm policy to filter only /admin/* webpages. I want that users access the whole site except admin section.

 

The Big-IP version is 11.5.5.

 

I know how to proceed with iRule but I would like to use asm instead. In application Security=>URLs=>Disallowed URLs, I can add a forbidden url but only explicite URL (ex: /admin/myadminpage.php). When I add a wildcard (ex: /admin/* ), nothing is filtered and I can access the admin section, except if I enter "https://www.mysite.com/admin/*". In this particular case , the wildcard is considered as a real string and not as "0 or x occurences"

 

Is there a way to forbid a whole path with ASM? For exemple /admin* or /admin/* ? I have also tried with 12.1.3 version but it's the same behaviour.

 

??

 

ASM Advanced WAF
security

5 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 06, 2018

    Hello,

    Your bahaviour is normal the functionnality "Disallowed URLs" is availlable only for explicit URL and not wildcard. So you can't set a wildcar URL:

    URL (Explicit only) Example: /index.html

    that's why it's working (a blockage took place) when you enter "https://www.mysite.com/admin/*" only.

    I advise you to process your needs trough an irule. As i told you it's more simple and you can easly log all attemtps...

    when HTTP_REQUEST {

set uri [string tolower [HTTP::uri] ]

 if { $uri starts_with "/admin" } { 
  log local0. "rejected request $uri for client [IP::client_addr]"
  reject
 }
}
  • dakritt_315479's avatar
    dakritt_315479
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2018

    Thank you Youssef,

    Ok. I was expecting your answer. I don't understand why this option is not provide by ASM. It's very useful to block a specific tree view (more than blocking one particular page). My objective was to limit the number of iRules we use. But not this time 😞

    For now, as workaround, we use an iRule to filter access to admin pages and raise an ASM event. If users come from the internet and not intranet, admin pages are blocking.

    Here is an example :

    when HTTP_REQUEST {
  set httpuri [string tolower [URI::decode [HTTP::uri]]]
  set httpuri [string trimleft $httpuri /]
  set httpuri /$httpuri
  set blockurl 0
  if { ( $httpuri starts_with "/admin" )} {
   if { [class match [IP::client_addr] equals INTRANET_POOL_IP ] } {
      log local0. "MyApp - Access granted from [IP::client_addr] on [HTTP::host][HTTP::uri]"
    } else {
      set blockurl 1
      log local0. "MyApp - Forbidden access from [IP::client_addr] on [HTTP::host][HTTP::uri]"
    }
  }
}
when ASM_REQUEST_DONE {
  if { $blockurl } {
    set x []
    lappend x "Requested URL" "\[HTTPS\][URI::decode [HTTP::uri]]" "Detection Cause" "Disallowed URL"
    ASM::raise VIOLATION_ILLEGAL_URL $x
  }
}

    We have an ASM policy with a custom violation defined (with option Trigger ASM iRule Events defined enabled in Advanced Policy Properties). We use that for :

    • blocking evasion techniques (directory traversal and co)

    • logging purpose

    • user information

    This is the only way we found to block admin pages with ASM.

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus
      Apr 09, 2018

      Hi

       

      indeed it's a basic feature that we would need ... I saw your irule. It's a good job, with asm alert (thank for sharing)...

       

      Let me now if you need other things...

       

      Regards

       

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Apr 10, 2018

    Have you tried using a custom signature...? So the syntax would be something like

     

    uricontent:"/admin/"; nocase; objonly;

     

    as detailed here

     

  • dakritt_315479's avatar
    dakritt_315479
    Icon for Nimbostratus rankNimbostratus
    Apr 20, 2018

    Hello iaine,

    I have tried your solution and it works perfectly. I think it's better than using iRules and raising ASM violation.

    To proceed :

    • create a custom signature (detailed here) Use 

      uricontent:"/admin"; nocase; objonly;
      to filter uri containing /admin

    • create a signature set (detailed here)

    • Create an ASM Policy

    • In Policy Settings-> Learning and blocking settings, select ASM policy and go to "Attack signatures" and add the signature set previously created.

    With this solution, iRule and ASM raise violation are not necessary.