ADDITIONAL MITIGATIONS USING ACOS 5.2.X AND 4.1.4-GR1
For deployments with ACOS 5.2.1 or 4.1.4-GR1 release families, HTTP Request smuggling exposures related to HTTP/2 and/or
invalid characters can be further mitigated using the following procedures.
ACOS 5.2.1-P3/PRIOR AND 4.1.4-GR1
For 5.2.1-P3 and prior, as well as 4.1.4-GR1 releases, include the aFlex script.
1. Also add the following aFlex rule.
aflex create SmugglingPrevention_http1and2_521p3_n_prior
when HTTP_REQUEST {
if { [HTTP::version] equals "2.0" } {
#If necessary, the following return code and respond string can be customized
set returnCode 403
set resp "<html><title>Request Denied!</title><body><center><h1>Request Denied!</h1><p>If you
have any questions contact the admin.</center></body></html>"
foreach header [HTTP::header names] {
set value [HTTP::header values $header]
set count 0
if { ($value contains "\r") or ($value contains "\n") or ($header matches
{[Tt][Rr][Aa][Nn][Ss][Ff][Ee][Rr][-_][Ee][Nn][Cc][Oo][Dd][Ii][Nn][Gg]*}) or ($header matches
{[Cc][Oo][Nn][Tt][Ee][Nn][Tt][-_][Ll][Ee][Nn][Gg][Tt][Hh]*}) } {
#Potential Special Character Smuggling or TE/CL header Detected
HTTP::respond $returnCode content $resp
HTTP::close
}
foreach header1 [HTTP::header names] {
set value1 [HTTP::header values $header]
if { ($header equals $header1) and ($value equals $value1) } {
set count [expr $count + 1]
}
}
if { ($count >= 2) and ($header matches {[Hh]ost}) } {
#Duplicated host headers are detected
HTTP::respond $returnCode content $resp
HTTP::close
}
}
}
if { ([HTTP::version] equals "1.0") or ([HTTP::version] equals "1.1") } {
set count 0
#If necessary, the following return code and respond string can be customized
set returnCode 403
set resp "<html><title>Request Denied!</title><body><center><h1>Request Denied!</h1><p>If you
have any questions contact the admin.</center></body></html>"
foreach header [HTTP::header names] {
set value [HTTP::header values $header]
log "$header"
if { ($value contains "\r") or ($value contains "\n") or ($header contains "\r") or
($header contains "\n") or ($header contains "\\") or ($header contains "%") or ($header contains "?")
or ($header contains "\(") or ($header contains "\)") or ($header contains "\<") or ($header contains
"\>") or ($header contains "\@") or ($header contains "\,") or ($header contains "\;") or ($header
contains "\<") or ($header contains "\"") or ($header contains "\/") or ($header contains "\[") or
($header contains "\]") or ($header contains "\=") or ($header contains "\{") or ($header contains
"\}") or ($header contains "\t") } {
HTTP::respond $returnCode content $resp
HTTP::close
}
if { ($header matches {[Tt][Rr][Aa][Nn][Ss][Ff][Ee][Rr][-
_][Ee][Nn][Cc][Oo][Dd][Ii][Nn][Gg]*}) or ($header matches {[Cc][Oo][Nn][Tt][Ee][Nn][Tt][-
_][Ll][Ee][Nn][Gg][Tt][Hh]*}) } {
set count [expr $count + 1]
}
if { ($count >= 2) } {