Applying iRule to ASM policy - file upload form protection

First, go to Local Traffic >> Virtual Server List and click the VS that you would like to apply the iRule to. Then go the Resources tab of that VS, and add your iRule to the Enabled panel. That will add the iRule as a resource to the VS. The next step is to enable iRule processing on the application security policy. Go to the Properties page of your security policy, and select the Advanced menu option. This will reveal the "Trigger ASM iRule Events" option toward the bottom of the screen. Enable the option, click Save and then Apply Policy.

I've done everything you wrote but DAVW still let's me upload PHP files. Either the iRule is not working in my version of ASM 12.0 or something else is wrong?

Here is the log from the intercepted POST submit:

POSTDATA =-----------------------------125462240720208 Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000 -----------------------------125462240720208 Content-Disposition: form-data; name="uploaded"; filename="up2.php" Content-Type: application/octet-stream

-----------------------------125462240720208 Content-Disposition: form-data; name="Upload"

Upload -----------------------------125462240720208--

An easier way might be to simply go to Application Security: File Types: Disallowed File Types, and then create a disallowed file type of .php. That should work. However, back to the iRule, can you go to Logs: Application Security and then review the log entries to see if your iRule fired? You might have to sort by timestamp to wade through all the entries, but a successful iRule event will be listed in the logs. If no iRule event is listed, then either the iRule hasn't been assigned to the VS, or it hasn't been assigned the correct security policy (make sure you save and apply policy after adding it), or the conditions in the iRule are not being met. Are you sure there is a Content-Disposition header in the POST ( I am assuming it's a POST) made to DVWA?

Maybe I'm totally wrong, but the initial iRule has nothing to do with ASM and is based on standard LTM functions. So nothing specific to configure on ASM-side.

Try to adjust your iRule like this:

when HTTP_REQUEST {
    if { [HTTP::header exists "Content-Disposition"] } {
        log local0. "Content-Disposition: [HTTP::header value "Content-Disposition"]"
        switch -glob [HTTP::header value "Content-Disposition"] {

And verify your logs afterwards. Either the header isn't available at all or it doesn't match your switch-statements.

Ciao Stefan 🙂

Disallowing file types will make the web app inaccessible as it's made in PHP. Plus, as a pentester, I would like to have full control in order to block all file upload vulnerabilities(.php3, .phps, exif data, .htaccess shells etc)

All of my logs(illegal, and all requests) at Security > Event Logs > Application > Requests are empty. Maybe because I have set automatic learning mode, and I've started building the policy just yesterday.