HTTP Post Control

You can enhance the security of public facing read-only HTTP servers by disallowing the HTTP POST method.

First, use Notepad or another text editor to create a new document called Post.htm that contains the HTML code below. Save the file to your desktop or a convenient location.

<p>Please enter your name: <input type="Text" name="FullName"></p>

Then open the Wireshark network analyzer and start a capture. For information about using Wireshark, see Wireshark . In a browser, open the Post.htm form you just created and type in your name and then click Submit. Stop the capture.

Using the Wireshark Edit > Find Packet function, search for the string ‘POST’.

Wireshark will jump to the first frame that contains the requested data. You should see something like the screen shown below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). You can use that information to create a custom match object that detects the HTTP POST method.

In the SonicOS management interface, navigate to Firewall > Match Objects, and then click Add New Match Object. Create a match object like the one shown below. Notice that in this particular match object you would use the Enable Settings feature to create an object that matches a specific part of the payload. The Offset field specifies which byte in the payload to begin matching and helps to minimize false positives by making the match more specific. The Depth field specifies at what byte to stop matching. The Min and Max fields allow you to specify a minimum and maximum payload size.

Next, navigate to Firewall > App Rules and click Add New Policy. Create a policy like the one shown below.

To test, use a browser to open the Post.htm document you created earlier. Type in your name and then click Submit. The connection should be dropped this time and you should see an alert in the log similar to the one shown below.