Dave_Pisarek
May 19, 2021Cirrus
XFF and sleep
Recently I was asked about mitigating the below XFF header:
X-Forwarded-For: (select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
Basically it is an injection to sleep the request.
The question was, can we enforce that the X-Forwarded-For header contains ip data only?
Working with LTM and ASM I was thinking either an irule or a customer attack signature to mitigate any requests where wording is in the XFF header.
Before I start testing different options, has anyone encountered and implemented any protection for this type of request?