Forum Discussion

Jonathan_c's avatar
Nov 07, 2022

Help with ASM URL wildcard syntax

Hi,

I need to create a URL whitelist for a directory structure such as this:

/constant-name/constant-name/any-name/any-name/.../.../*.css

/constant-name/constant-name/any-name/any-name/.../.../*.pdf

/constant-name/constant-name/any-name/any-name/.../.../*.xml

So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be.

How would I go about putting it in a the ASM syntax?

Thanks

 

  • Hello Jonathan_c Aren't you using positional parametars in the URL if this is the case as explained in https://support.f5.com/csp/article/K52644614 or https://support.f5.com/csp/article/K72880030 ?

     

    Mohamed_Ahmed_Kansoh  suggestions are on the mark but if you are using positional parameters then see the article I provided and then you will have more granual control like to use static or dynamic parameters once F5 decodes the URL and the position of the parameters.

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP

        Yup after that you can make the parameter static/dynamic or enable/dissable attack signatures for it like any other normal patameter as Jonathan_c example's is as command injection attack maybe for the URL this is not detected and if after using positional parameters still this is not blocked then the attack signatures need to be checked if the correct one is present and enforced (not in staging). The command injection signature can be enforced only for the positional parameter if it causes false postives in other places.

  • Hi Jonathan_c , 

    Try this : 
          /constant-name/constant-nam/*.css
         /constant-name/constant-name/*.xml

        /constant-name/constant-name/*.pdf 
    - Make sure that you remove the " * " by default wildcard entity in allowed Urls and file types.
    - Also Make sure that you configure ( pdf , xml , css ) as allowed file types. 

    Also refer to these KBs : 
    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/31.html

    and this as well : 
    https://support.f5.com/csp/article/K8623

    it will help you much for correct syntax. 
    hope this help you. 
    Thanks

     

    • Jonathan_c's avatar
      Jonathan_c
      Icon for Cirrus rankCirrus

      Hi Mohamed,

      Thanks for your suggestions.

      Let me just be more clear - I'm looking to block attemps were an attacker tries to insert code in the URL path, such as:

      /folder1/folder2/folder|ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1`/folder3/styles.css

      if i'll add the URL like you suggested, won't it also allow the above example?

      • Hi Jonathan_c , 
                well , 
         I thought that you want to create these URLs as allowed. 

        > My recomendation is : 
        Ping in urls or users requests does not make sense and it should be sent such these requests to application so Create a disallowed Wildcard url.  
        choose if your application is  Http or https and  it should be like this : " *ping* " . 

        Or 

        you can create custom attack signature matches to " Ping " Word and assign it to your impacted ASM policy. 

        If you want to test the Cusom ping attack signature , I can do it and send the results to you. 
        or Check this KB :
         
        https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html


        I hope it work with you
        Ty 

  • I also wasn't aware of the positional parameters, it looks helpful but I don't see how it can help in this scenario.

    for example, if I'll create a URL with positional parameters like this:

    Won't it will still allow a code injection where the wildcard is (marked red)?

    Also, does this wildcard accepect one path level or any number of subfolders?

    Anyway, I understand I'll need to add several more attack signatures in order to cover all bases.

    Thank you Nikoolay and Mohamed for your inputs, they really helped me.

     

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      Better read an play/test with positional parameters to get the idea as they can work with wildcards or as wildcards (you will have to talk with your developers to get the idea how to configure the parameters) and then see if the command injections is detected and if not as I mentioned then maybe you have not added a signature set and/or enforced the correct signature.

       

      That is my opinion and the input I can provide.