ASM: Change the POST data parameter delimiter
Hi Folks,
currently I'm trying to create a security policy for the famous open source ticketsystem OTRS. Due to the behavior of OTRS I'm stuck with parameter handling. If an agent is sending a response to the customer, the POST request is send in a format like this:
POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length:
[...]
TicketID=12345;[...]Subject=;Body=
instead of
POST /otrs/index.pl? HTTP/1.1
Host: otrs.example.com
[...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length:
[...]
TicketID=12345&[...]Subject=&Body=
So as the delimiter used to separate single parameters is a semicolon, instead of ampersand, the ASM does not recognize all single parameters. The only parameter seen is the first one listed (here: "TicketID"). Only when a content type of "multipart/form-data" is used, the ASM can identify all the parameters. Typically I'm disabling violations, i.e. Attack Signatures, based on a tupel of parameter/URL. But as the ASM cannot identify the single parameters in the request the only chance is to disable a violation globally or for the first parameter listed (in the example above "TicketID"). This doesn't make sense for the policy, because it's very usual that there is content sent in emails, which will trigger Attack Signature Violations, for example SQL Code, HTML/Javascript or Linux Bash commands. Therefore it makes sense to disable those Attack Signatures only on single parameters, like "Body".
Has anybody an idea how to handle this? Is there a chance to make ASM also use a semicolon as a parameter delimiter in POST requests? It would be necessary to let the ASM check for ampersand and semicolon, as not all POST requests are sent with a semicolon.
I thought about an iRule, which would replace all semicolons in a POST request body on the client side to ampersands, if several conditions are matching (especially "[HTTP::header Content-Type] starts_with 'application/x-www-form-urlencoded'"), and then, on the server side, replace them back to semicolons. But I fear that this may be very resource intensive.
I appreciate any ideas to resolve this issue.
Thanks in advance.
Greets, svs