Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Apr 03, 2018

ASM Api Rest $filter question

Hi,

version 12.1.2, ASM module.

I need to use $filter together with option "contains", not "eq" as commonly used. According to this article it should be possible, but it looks it is not as I've been getting only parsing errors.

Example: From list of ASM policy signatures I need to find signature using ID given by GUI. Looks like it is possible only by looping through all signatures within policy (

/asm/policies//signatures
) and trying to match against signature ID which I got when asking 
/asm/signatures?$filter=signatureId eq &$select=id
.

In practise I need to filter signature which 

signatureReference
contains specific ID 
o4C6lMG4tza8YX-85RRKFA
:

{   u'items': [{  u'enabled': True,
                  u'id': u'K4k2wNgjBwH6B81hkIIDwg',
                  u'kind': u'tm:asm:policies:signatures:signaturestate',
                  u'lastUpdateMicros': 1521786878000000.0,
                  u'performStaging': True,
                  u'selfLink': u'https://localhost/mgmt/tm/asm/policies/9gV6OhNsX7jnw9sPSfRGmQ/signatures/K4k2wNgjBwH6B81hkIIDwg?ver=12.1.2',
                  u'signatureReference': {   u'link': u'https://localhost/mgmt/tm/asm/signatures/o4C6lMG4tza8YX-85RRKFA?ver=12.1.2'}}],
    u'kind': u'tm:asm:policies:signatures:signaturecollectionstate',

When trying this GET request:

/asm/policies/9gV6OhNsX7jnw9sPSfRGmQ/signatures?$filter=signatureReference contains o4C6lMG4tza8YX-85RRKFA'

I get error:

Can not parse $filter: \'signatureReference contains o4C6lMG4tza8YX-85RRKFA\'

Question is, is really using "contains" supported when using $filter in Rest API?

Thanks, Zdenek

ASM Advanced WAF
cloud
iControlREST
security

2 Replies

Sort By
  • suttonsc's avatar
    suttonsc
    Icon for Employee rankEmployee
    Jun 05, 2018

    The syntax can be a bit tricky, for curl there is the added escaping that is not needed if using Postman. The following was tested using curl against BIG-IP v12.1.3.4:

     

    Simple filter using contains:

     

    $ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$filter=contains\(id,\'_zZQ8rpWoL9mFeg8MZqIIg\'\) | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?ver=12.1.3&$filter=contains(id%2C'_zZQ8rpWoL9mFeg8MZqIIg')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}
`
    
When trying to parse the 'signatureReference' there is a invalid reference issue unless you expand and then filter:

    `$ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$expand=signatureReference\(signature/id,\'3lXrJ-kq-EnlidWPaM32Ug\'\) | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?$expand=signatureReference&ver=12.1.3&$filter=contains(signature%2Fid%2C'3lXrJ-kq-EnlidWPaM32Ug')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signature": {
        "matchesWithinGwt": true,
        "isUserDefined": false,
        "matchesWithinCookie": true,
        "selfLink": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3",
        "matchesWithinParameter": true,
        "systems": [
          {
            "systemReference": {
              "link": "https://localhost/mgmt/tm/asm/signature-systems/b9hI1sIulARJ09bbdy0VQw?ver=12.1.3"
            }
          }
        ],
        "matchesWithinXml": true,
        "id": "3lXrJ-kq-EnlidWPaM32Ug",
        "matchesWithinHeader": false,
        "signatureId": 200000128,
        "matchesWithinJson": true,
        "name": "img tag: src/dynsrc/lowsrc (Parameter)",
        "lastUpdateMicros": 1525137548000000,
        "description": "Summary:\nThis event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).\n\n--\nImpact:\nSuccessful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.\n\n--\nDetailed Information:\nThis event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.\nCross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.\n\n--\nAffected Systems:\nAll systems that accept user input are potentially affected.\n\n--\nAttack Scenarios:\nAn attacker can supply a malicious link designed to steal information from a user clicking on that link.\n\n--\nEase of Attack:\nVary from simple to medium.\n\n--\nFalse Positives:\nSome applications send various script code to the web server as legitimate input.\nSome free-text user input may match Cross Site Scripting signatures.\n\n--\nFalse Negatives:\nNone known.\n\n--\nCorrective Action:\nEnsure the system is using an up to date version of the software and has had all vendor supplied patches applied.\nUtilize \"Positive Security Model\" by accepting only known types of input in web application.\n\n--\nAdditional References:\n\nThe Cross Site Scripting (XSS) FAQ\nhttp://www.cgisecurity.com/articles/xss-faq.shtml\n\nCross-site scripting\nhttp://en.wikipedia.org/wiki/Cross_site_scripting\n\n--\n",
        "revision": "3",
        "attackTypeReference": {
          "link": "https://localhost/mgmt/tm/asm/attack-types/MFsWvSAV_Z5j1vSkR0hnXg?ver=12.1.3"
        },
        "matchesWithinResponse": false,
        "matchesWithinRequest": false,
        "matchesWithinUri": false,
        "accuracy": "low",
        "risk": "low",
        "signatureType": "request"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}

    Let me know if this answers your question.