Forum Discussion
inter84_376679
Nimbostratus
NimbostratusBruteforce configuration issue with x-www-urlencoded
Hello,
We have the following brute-force configuration issue with the x-www-urlencoded application content-type, on our: BIG-IP Version 13.1.1
We have a login page test-app.domain.co.il...
stan_piron
Cumulonimbus
CumulonimbusHi,
you can try this code with "Basic Authentication" configured in ASM login page
Collect a request payload
when HTTP_REQUEST {
set app ""
if {[HTTP::method] eq "POST" && [HTTP::path] starts_with "/Token" && [scan [HTTP::header "Content-Type"] {multipart/form-data; boundary=%s} boundary]} {
Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576} {
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
foreach item [split [string map [list "--$boundary" "|"] [HTTP::payload]] "|"] {
if {$item == "" || $item == "--"} {
continue
}
set fields [split [string map {"\n\n" "|"} [string trim $item]] "|"]
if {[llength $fields] < 2} {
continue
}
if {[string match {*name="name"*} [lindex $fields 0]] } {
set username [lindex $fields 1]
puts "username is $username"
} elseif {[string match {*name="password"*} [lindex $fields 0]] } {
set password [lindex $fields 1]
puts "password is $password"
}
}
if {[info exists username] && [info exists password]} {
HTTP::header insert Authorization "Basic [b64encode "$username:$password"]"
}
unset -nocomplain item fields
HTTP::release
}
when HTTP_REQUEST_RELEASE {
HTTP::header remove Authorization
}this code parse multipart content and insert username and password in a Basic auth header... then remove it before sending it to the server...
This code is not tested... please test it and update this thread...
