Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Feb 17, 2016

Block keywords

Hello,

 

I am looking for a way to block access based on the presence of certain keywords contained within the URL. For eg:

 

GET /ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=

 

We are already blocking the pattern /CTC/.* from the Internet and internal networks using an irule, but the concern is that there may be other paths that would allow an attacker to run commands such as EXECUTE_CMD , CMDLINE etc.

 

Is there a way to block these keywords regardless of the URL patterns being accessed.

 

Thanks,

 

Karthik

 

3 Replies

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    This could be tricky, as you would have to check for valid variations (e.g. encoded) as well. A simple string-comparison would still leave room for attackers.

     

    Would you happen to have a license for ASM? That would be the best way to cover the variations an attacker would use.

     

    Another option would be to implement some kind of authentication mechanism.

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    It would be best to harden the application. A quick search for "hardening SAP" yield numerous resources (including from SAP).

     

    You may end up having to do both (i.e. harden SAP and augment security on the BIG-IP) - depending on the version of SAP you're running and the options it offers for security/hardening.

     

    There's a presentation on OWASP's web site that seems to indicate that there are quite a few more problems than the URL commands. It's several years old, so perhaps SAP has fixed those security issues. On the other hand, I found more recent articles that also detail security problems with SAP.

     

  • Thanks Arie. We are going to be putting up an ASM in the near future and applying relevant SAP Notes. However, in the meantime I need to quickly block these keywords and would appreciate any help in getting this done