XSS checks in irule

Question

Hi &nbsp;
&nbsp;Can an irule check for special chars in a switch statement?  &nbsp;&nbsp;
&nbsp; switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {
&nbsp;    "*&lt;" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    "*&gt;" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    "*)" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    "*%" {
&nbsp;    set variable "xss"
&nbsp;      }&nbsp;
&nbsp;And can i check another parameter using a switch statement after the first one (I only need to check 2)?&nbsp;
&nbsp; when HTTP_REQUEST_DATA {
&nbsp;   &nbsp;
&nbsp;switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param1]] {
&nbsp;    "&lt;" {
&nbsp;    set variable "xss"
&nbsp;    }
&nbsp;    "&gt;" {
&nbsp;    set variable "xss"
&nbsp;    }
&nbsp;    ")" {
&nbsp;    set variable "xss"
&nbsp;    }
&nbsp;    "%" {
&nbsp;    set variable "xss"
&nbsp;    }
&nbsp;    }&nbsp;
&nbsp;   switch -glob [URI::decode [URI::query "?[HTTP::payload]" Param2]] {
&nbsp;    "&lt;" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    "&gt;" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    ")" {
&nbsp;    set variable "xss"
&nbsp;      }
&nbsp;    "%" {
&nbsp;    set variable "xss"
&nbsp;      }&nbsp;
&nbsp;}&nbsp;
&nbsp;Thanks&nbsp;&nbsp;

hooleylist · Answer

Hi Yozzer, 
&nbsp;  
&nbsp; Yes, you can check for potentially malicious metacharacters in a parameter value using an iRule.  You might want to add a * to the end of the switch cases if you want to match the character at any position instead of just at the end of the parameter value.  You'll also need to collect the full payload using HTTP::collect in HTTP_REQUEST if you want to check parameter values in POST payloads. 
&nbsp;  
&nbsp; https://devcentral.f5.com/wiki/iRules.http__collect.ashx 
&nbsp;  
&nbsp; Aaron

yozzer · Answer

So "*%*" for each would pick it up anywhere it appears?&nbsp;
&nbsp;e.g. param1=%blah%blah%&nbsp;&nbsp;
&nbsp;I just need it to trigger on at least 1 of them wherever it is in the parameter.&nbsp;
&nbsp;Thanks&nbsp;

yozzer · Answer

I have noticed that it wont trigger if i check for % or : 
&nbsp;  
&nbsp; "*%*"  or "**" 
&nbsp;  
&nbsp; Any ideas? 
&nbsp;  
&nbsp; Thanks &nbsp;

yozzer · Answer

Hi &nbsp;
&nbsp; Is it possible to have the input to the switch checked by ASM to identify XSS checks? I want to prevent null byte attacks in POST parameters.&nbsp;
&nbsp;Is it possible to check the switch payload for the number of parameters.  I want to disregard it is it has more than 2.  I can accept Param1 and Param2 but if i see any other then i want to dump it as the POST request has been tampered with.&nbsp;
&nbsp; Thanks &nbsp;

yozzer · Answer

This seemed to solve the null byte issue and simplified my irule checks: 
&nbsp;  
&nbsp;    if { [matchclass [string tolower [HTTP::payload]] contains xssblocked] }{ 
&nbsp;       HTTP::respond 403 "Blocked" 
&nbsp;  
&nbsp; Would just like to count the number of times the &amp; char appears in the payload and throw an exception if there is more than 1 found.  Any ideas?

Forum Discussion

XSS checks in irule

8 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Cross Site Scripting (XSS) Exploit Paths

iRule Checking for No Value

Check a Virtual Server's SSL Status

Adding Security HTTP Headers with an iRule for HSTS, XSS, Clickjacking and Content Web Protection

Leaked Credential Check with Advanced WAF