topic Wildcards in custom Apps in Endpoint

Wildcards in custom Apps

Vladimir — Tue, 11 Jun 2019 17:16:48 GMT

I am attempting to whitelist a long list of domains used by the user awareness training campaign.

And am seeing this:

Can we get some clarity on why this is not working and how to get around this issue.

The lab is 80.30EA, but the client is running 80.20.

Thank you,

Vladimir

Re: Wildcards in custom Apps

PhoneBoy — Thu, 13 Jun 2019 18:26:37 GMT

I think the actual issue is the /* at the end of your URL, not the * at the beginning.

Re: Wildcards in custom Apps

_Val_ — Fri, 14 Jun 2019 09:54:29 GMT

it says it right there, remove / at the end of domain

Re: Wildcards in custom Apps

Vladimir — Fri, 14 Jun 2019 14:13:03 GMT

@PhoneBoy and @_Val_ , but the UG states that the "/*" should be there. Would the custom app defined with asterisk before domain name only allow for any path?

Re: Wildcards in custom Apps

PhoneBoy — Fri, 14 Jun 2019 14:41:26 GMT

I think the docs are in error in this case, the /* isn't required.

Re: Wildcards in custom Apps

Paul_Grigg — Mon, 17 Jun 2019 09:17:51 GMT

The editor will accept both / and * but not together.

Re: Wildcards in custom Apps

G_W_Albrecht — Mon, 17 Jun 2019 10:12:25 GMT

Reminds me of sk106623 Custom Application/Site that was created to match a domain and sub-domains, is not matched by Application & URL Filtering policy...

Re: Wildcards in custom Apps

Vladimir — Mon, 17 Jun 2019 12:50:34 GMT

@Paul_Grigg , can you describe the anticipated behavior in each case?

Re: Wildcards in custom Apps

Vladimir — Mon, 17 Jun 2019 12:56:38 GMT

Thank you @G_W_Albrecht , but CP puts out a warning sign in the same sk you are referencing.

Specifically, the notion of "not using REGEX with HTTPS sites unless inspection is enabled".

Re: Wildcards in custom Apps

G_W_Albrecht — Mon, 17 Jun 2019 13:10:37 GMT

What i mean is:

Application/Site was created with URL *.example.com to match domain "example.com" and sub-domains "*.example.com".

This will not work, only *example.com* - and this seems like your issue to me, when *example.com/* will not work, only *example.com/ or *example.com*.

RegEx might be helpful here when https inception is used...

Re: Wildcards in custom Apps

Vladimir — Mon, 17 Jun 2019 13:56:36 GMT

@G_W_Albrecht , if HTTPS inspection would've been enabled, perhaps.

This being said, I am hesitant to suggest enabling HTTPS inspection on anything not running R80.30, where it is significantly improved. But R80.30 still has some issues, (you can find one of the threads describing MABDA shortcomings).

Also, one of my acquaintances recently published a paper of how to use REGEX processing as a target for DOS and it was not pretty. So I am trying to stay away from its use unless absolutely necessary.

Re: Wildcards in custom Apps

G_W_Albrecht — Mon, 17 Jun 2019 14:07:02 GMT

You did not state in your post that you do not use https, so i did falsely assume that.! R80.30 has several shortcomings - a MABDA HF (sk113410) should only be available in July, also a new build is planned for ca. 2 month from now. At least, we have a R80.30 MTA Update HF...

Using RegEx for DOS sounds interesting, please point out that paper to us all ! Up to now, the danger was that people use RegEx expressions with a wrong syntax (i at least had some customers that did that), so it did not work as expected.

Re: Wildcards in custom Apps

Vladimir — Mon, 17 Jun 2019 14:19:51 GMT

@G_W_Albrecht , I actually see relatively low number of companies adopting HTTPS inspection and am hoping to push them to it once 80.30 matures a bit.

You can read the short write-up here and check the links at the end for additional references:

https://medium.com/@somdevsangwan/exploiting-regular-expressions-2192dbbd6936

Re: Wildcards in custom Apps

G_W_Albrecht — Mon, 17 Jun 2019 15:06:51 GMT

Thank you for the link ! Yes, you always better think twice when using RegEx - and nested repetition ops are not a good idea... But it is like i already said - you have to know a lot before using RexEx...

Re: Wildcards in custom Apps

G_W_Albrecht — Tue, 18 Jun 2019 13:02:14 GMT

Again regarding DOS on RegEx: With CP GWs, RegEx is used on the user URLs in APP CTRL and URL filtering. So an attack here has to come from the internal net, as requests from outside do not trigger APP CTRL and URL filtering.

So, the issues with RegEx are clearly not important when used with APP CTRL and URL filtering.

Re: Wildcards in custom Apps

Vladimir — Tue, 18 Jun 2019 13:14:32 GMT

@G_W_Albrecht , I suspect that it is still exploitable from outside using URL encoding, such as those described here:

https://nvisium.com/blog/2015/06/11/regex-regularly-exploitable.html

Re: Wildcards in custom Apps

G_W_Albrecht — Tue, 18 Jun 2019 13:28:09 GMT

It is only exploitable if your servers that can be reached from outside employ such RegEx to filter input - but the RegEx in APP CTRL and URLF will not be exploitable.