For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

inter84_376679's avatar
inter84_376679
Icon for Nimbostratus rankNimbostratus
Nov 11, 2018

Bruteforce configuration issue with x-www-urlencoded

Hello,

 

We have the following brute-force configuration issue with the x-www-urlencoded application content-type, on our: BIG-IP Version 13.1.1

 

We have a login page test-app.domain.co.il/login which POSTS to test-api.domain.co.il/Token

 

Headers are (not working request, and essentially an issue itself):

 

And the invalid username or password response header looking like this:

 

While testing with the Postman using "form-data" request, the F5 successfully catches and blocks the brute force request. The Postman request itself (working request):

 

 

At the Brute-force configuration we have tried the “JSON/ AJAX Request” and the “HTML form” methods, but with no luck..

 

We will appreciate any help.

 

Thanks!

 

BIG-IP
LTM
security

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 13, 2018

    Hi,

     

    you can try this code with "Basic Authentication" configured in ASM login page

     

     Collect a request payload
when HTTP_REQUEST {
    set app ""
    if {[HTTP::method] eq "POST" && [HTTP::path] starts_with "/Token" && [scan [HTTP::header "Content-Type"] {multipart/form-data; boundary=%s} boundary]} {
         Trigger collection for up to 1MB of data
        if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576} {
        set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
         Check if $content_length is not set to 0
        if { $content_length > 0} {
            HTTP::collect $content_length
        }
    }
}

when HTTP_REQUEST_DATA {

    foreach item [split [string map [list "--$boundary" "|"] [HTTP::payload]] "|"] {
        if {$item == "" || $item == "--"} {
            continue
        }
        set fields [split [string map {"\n\n" "|"} [string trim $item]] "|"]
        if {[llength $fields] < 2} {
            continue
        }
        if {[string match {*name="name"*} [lindex $fields 0]] } {
            set username [lindex $fields 1]
            puts "username is $username"
        } elseif {[string match {*name="password"*} [lindex $fields 0]] } {
            set password [lindex $fields 1]
            puts "password is $password"
        }
    }
    if {[info exists username] && [info exists password]} {
        HTTP::header insert Authorization "Basic [b64encode "$username:$password"]"
    }
    unset -nocomplain item fields
    HTTP::release
}

when HTTP_REQUEST_RELEASE {
    HTTP::header remove Authorization
}

    this code parse multipart content and insert username and password in a Basic auth header... then remove it before sending it to the server...

     

    This code is not tested... please test it and update this thread...