topic Limiting http methods to specific URLs in Custom Signatures

Limiting http methods to specific URLs

IamJoeG — Fri, 11 Jun 2021 12:58:06 GMT

Has anyone had luck limiting http methods like PUT to limited URLs? For example, limiting a PUT to https://www.foo.com/ but not to https://www.foo.com/folder1 ? I've created a custom vulnerability that allows the http-method (http-req-header length > 0 which http-method=PUT) in a custom vulnerability but I am having trouble limiting it to the host only portion or the URL/URI. Not sure if this should be further defined in the custom vulnerability, URL category, or just as an fqdn address object? I am trying to think that if I have a use case in the future to allow to https://www.foo.com/folder2 but not https://www.foo.com/folder2/uploads would it be the same solution?

Re: Limiting http methods to specific URLs

mivaldi — Wed, 30 Jun 2021 19:36:14 GMT

You should try using a targeted security policy with a Custom URL entry to match the URN of interest in the Service/URL Category tab of the Security Policy Rule. You will then apply the restrictive Vulnerability Protection Profile with an Exception set to block on your Custom Vulnerability Signature. Note that given that these are HTTP(S) resources, this is dependent on successful TLS decryption.

Re: Limiting http methods to specific URLs

IamJoeG — Thu, 01 Jul 2021 11:59:22 GMT

Thanks, any idea what the terminating character for the custom URL would be? For instance, how would one limit to only the top level meaning example.com but not grant access to example.com/file1, example.com/cgi-bin, or example.com/*

Re: Limiting http methods to specific URLs

Lucky — Thu, 01 Jul 2021 12:17:38 GMT

you can block a single URL if you use a literal URL for the policy and no special characters such as asterisk tailing the string, so just put in example.com/ and no "*" at the end.