For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cdjac0bsen's avatar
cdjac0bsen
Icon for Nimbostratus rankNimbostratus
Oct 09, 2017

Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?

We would like to allow vulnerability scanners or pen testers to send requests without being blocked on an ad hoc basis without our intervention. Currently we have to add a temporary IP address except...
application delivery
ASM Advanced WAF
iRules
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Oct 18, 2017

Chris, I understand the challenge here. What you can do is have a dynamic tag which changes daily (or weekly or monthly - whatever suits you). Not quite OTP, but easy to manage and set up.

 

The way to achieve it is to write an iRule which takes the current date and mixes it with some "secret" "salt" value and then hashes the result using a hashing function (e.g. MD5 or SHA1 or whatever your security requirement to a hashing function is).

 

For example (let's assume the secret is "cdjac0bsen")

 

we take today's date 20171018 and add the secret (e.g. concatenate with a dash):

 

"20171018-cdjac0bsen"

 

then the above value is hashed using md5. It produces "d39cb5a222be728dddd1ff3adc480cb5" - you can simply give this token to your pentesters - this token will be valid for the whole day.

 

Tomorrow the token will change to: 81e20431312f37d6572651d242f2521a (md5 of "20171019-cdjac0bsen").

 

The iRule will compare the token value received in header X-SCAN-TESTING with this calculated value. If they match - it is a valid pentester, if they mismatched - it is a hacker or someone using an old/stolen token.

 

Hope this helps,

 

Sam