Don't Allow a URL containing an MS-DOS device name

sverreAsverreA Member
Hi!
I would like to use our AX1030 and aFlex to make sure that "Microsoft ASP.NET MS-DOS Device Name DoS"-requests get a 404.5 response

"Microsoft ASP.NET MS-DOS Device Name DoS"-request have one of the following as a sequence in the URL:
AUX
CON
PRN
NUL
COM1
LPT1
LPT2
LPT3
COM2
COM3
COM4

Any suggested way to solve this in a scalable way?

Thanks!
Tagged:

Comments

  • jserranojserrano Member ✭✭
    edited August 2017
    Hi,
    Just create a class list containing all patterns:
    !
    class-list msdosdn string
    str AUX
    str CON
    str PRN
    str NUL
    str COM1
    str LPT1
    ...
    !

    Then you can match url against your class list using aflex:

    when HTTP_REQUEST {
    if {[CLASS::match [HTTP::uri] contains msdosdn]} {
    HTTP::respond 404 content "Your request was blocked"
    }
    }

    Class list matching is far more efficient than regex matching and allows updating classlist on the go without traffic impact.

    Regards
  • sverreAsverreA Member
    edited August 2017
    Thanks!

    My final script ended up like this:
    when RULE_INIT {
    set ::DEBUG 0
    set ::CLASSLIST "msdosdn"
    }

    when HTTP_REQUEST {
    set URI [string tolower [HTTP::uri]]
    if { [CLASS::match $URI contains $::CLASSLIST value] != ""} {
    HTTP::respond 404 content "Your request was blocked"

    if { $::DEBUG == 1 } { log "[HTTP::host] found match in URI: $URI" }
    }
    }
Sign In or Register to comment.