Forum Discussion
NimbostratusASM hide parameter sensitive data in the logs
hi, I am trying to hide (mask) sensitive data for parameters such as password, social id, etc. I added a parameter in the (Security --> Application Security --> Parameters --> Sensitive Parameters) without success. I also added a parameter in the parameters' list, no luck. the password is still in clear text in the logs. my os version is 12.3.1, I am using POST requests and the parameters are in the header as follows:
POST /myloginpage HTTP/1.1 Host: mysite.com Connection: keep-alive Content-Length: 1412 Cache-Control: max-age=0 Origin: https://mysite.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: https://mysite.com Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,fr;q=0.8 Cookie : cookie....
NAME_2_AJXButtonAction&C2__LOGIN%5B1%5D.ACCESSCODE=myuser&C2__LOGIN%5B1%5D.FORMPASSWORD=mypass
any hint ?
thank you.
om
3 Replies
Erik_NovakEmployee
Can you try adding the parameter manually, define it as Global, and then select the option to Mask Value in Logs?
Stanislas_Piro2Cumulonimbus
In your Post DATA, the parameter name is
C2__LOGIN%5B1%5D.FORMPASSWORDdid you try to add this parameter in sensitive parameter, or decoded value:
C2__LOGIN[1].FORMPASSWORD- OM
Solved... when using Allowed URLs feature along with parameters sensitive, there is a parameter called "Request Body Handling" within the URLs configuration that has to be set to "Form Data".
now the password is masked in the logs.
thank you all for your help.
