Forum Discussion

HarshaPotharaju's avatar
HarshaPotharaju
Icon for Nimbostratus rankNimbostratus
Mar 28, 2019

URL rewrite iRule - ASM

ASM is blocking a request which doesn't have domain name in one of the parameters in the URI.

 

Background: example.domain.com is a VIP and has ASM enabled. Below is the default breakdown login page that changes per request, the issue is one of parameters(resource_url), is missing the domain name, example.domain.com before the context root, /user/loginsso, and ASM thinks it's a web command execution attack and blocking it and I don't want to unblock ASM for this particular request type.

 

I think rewriting the URI fixes the issue but,

 

  1. if it is an LTM iRule, does ASM triggers based on the source URL or rewrite URL?

     

  2. if based on source URL, then what are the config changes to be done in the ASM?

     

  3. and couple of paramters in the url changes per request, so not sure how to use the stringmap, please help.

     

https://example.domain.com/login/login.html

 

?bmctx=some random ID that changes per request

 

&contextType=external

 

&miscCookies=disablehttponly

 

&username=string

 

&OverrideRetryLimit=1

 

&password=secure_string

 

&challenge_url=https://example.domain.com/login/login.html

 

&ssoCookie=disablehttponly

 

&DCCCtxCookieMaxLength=5000

 

&request_id=some ID that changes per request

 

&authn_try_count=0

 

&locale=en_US

 

&resource_url=/user/loginsso

 

Expected:

 

resource_url=https://example.domain.com/user/loginsso

 

  • Hi Harsha,

    the

    HTTP_REQUEST
    event is executed before ASM received the request. If you manipulate the request within this event, ASM is going to enforce its policy based on the already manipulated request.

    The iRule below will check for the badly formated login page requests and transparently rewrites them to the correct format.

    when HTTP_REQUEST {
        if { [string match -nocase "/login/login.html*&resource_url=/user/loginsso*" [HTTP::uri]] } then {
            HTTP::uri [string map -nocase { "&resource_url=/user/loginsso" "&resource_url=https://example.domain.com/user/loginsso" } [HTTP::uri]] 
        }
    }
    

    Cheers, Kai