Stop POST requests.

Question

Hi. I was working to stop certain type of requests to web servers via LTM Irule. Right now i can stop different patterns in HTTP GET request i.e via URI. but i also want to stop certain patterns in POST and PUT requests.
For example there is a irule to stop command execution via URI but when i try to execute command in POST it does not work as it only ready uri part. 
I need to control post requests.&nbsp;
Example Irule:
when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::uri]] {
    ".exe" -
    ".dll" {
      reject;
    }
  }
}&nbsp;

nathe · Answer

Not sure if your iRule is quite right. Try:
when HTTP_REQUEST { 
  switch -glob [string tolower [HTTP::uri]] { 
   "*.exe" - 
   "*.dll" { 
   reject
  }
 }
}

Hope this helps,
N

emad · Answer

Issue is it only reade uri of http request in method type get. It does not read POST data contents. and i want to read that. &nbsp;

what_lies_bene1 · Answer

In order to control POSTs you'd need to collect and inspect the HTTP body and this could have performance implications. Equally, searching on a pattern such as 'exe' is likely to block valid requests (when the work execute is found for example) unless you're very careful. Is this really necessary where POSTs are concerned? What's the risk you are trying to mitigate?

kevin_stewart · Answer

A POST will generally have a payload that you need to worry about, but it will also have a URI. So your mitigation a are dependent on the injection point. An example POST request:
POST /foo/bar/test.exe HTTP/1.1
Host: www.example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla...

username=foo&amp;password=bar&amp;execute=test.exe

So you could still look at the URI in a POST request, but then you can also look at the payload, which would require a collection. If I had to guess, I would assume your application predominantly uses GETs, so the overhead of collecting on POSTs, and potentially a subset of POSTs based on some trigger URIs, wouldn't be too overwhelming.

emad · Answer

I have some of PHP based application and normally payload is passed in GET request to exploit any vulnerability. I am also working on ASM.
Issue is there are some exploits which work in GET aswell as in POST data. www.abc.com/index.php is a valid URL, illegal request is www.abc.com/index.php?admin:$val, Commonly these type of request work in GET or by typing URL. But if use any Utilty for sending post data .i.e;    ?admin:$val for URL : www.abc.com/index.php it works. so i want to stop that one.
so at the moment my requirement is to stop this part of HTTP Request: &nbsp;
POST /foo/bar/test.exe HTTP/1.1&nbsp;

Forum Discussion

Stop POST requests.

6 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

HTTP Request Smuggling, what it is, how to find it and how to stop it

Large payload post requests aren't responding

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

Is your WAF as good as Tubbs and Crockette as stopping Smugglers?

LTM: HTTP Monitoring with POST Request