For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

apara_5691's avatar
apara_5691
Icon for Nimbostratus rankNimbostratus
Jul 28, 2011

Bypass Authentication Form

Good morning!!

 

 

I want to bypass an authentication form with an iRule, this is simple with a redirection:

 

 

http://example.com/script?user=user&pass=pass

 

 

I'm using an LDAP authentication profile with a simple configuration (default _sys_auth_ldap) so what I try to do is the next:

 

 

if {[AUTH::status] == 0} {

 

Successfull authentication

 

http::respond 320 Location "http://example.com/script?user=user&pass=pass"

 

}

 

 

The iRule "catches" the HTTP authentication params and redirects with this params

 

 

The problem is that the authentication profile is associated to the same VS that the redirection is performed, and the 302 is repeated indefinitely.

 

 

Any ideas for this particular "problem"? I don't have a lot of experience in iRule development so I'm a little lost :(

 

 

Regards,

 

 

Alberto

 

application delivery
dev
devops
iRules

2 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 28, 2011
    I take it you're not concerned about the lack of security in the solution...

     

     

    Basically you need to detect in the iRUle whether the request is for YOUR redirect, or for the user accessing the URI directly. There's a couple of way you could do that. You could

     

     

    1. Detect the referrer and if the referrer was ourselves, don't redirect.

     

    2. Detect the existence of the ?user=user&pass=pass parameters and don't redirect if the user is already supplying them

     

     

    There's probably several other ways... Personally I'd use both... Just as abet and braces check... It's a direct login (The parameter check) AND we told the browser to doit (referrer check)...

     

     

    I'd be wary of this approach though... You're leaking the user and password back to the user in the 302 redirect... Never a good idea... There's other ways to skin this cat if you really want automated login.

     

     

    H

     

     

    H
  • apara_5691's avatar
    apara_5691
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2011
    I know that it is not the best solution but I think that is the only one possible for my particular case... our customer does not want to modify the application so we need to bypass the form, anyway the authentication isn't protected with an SSL configuration, user/pass was sent in clear text via POST instead of GET with the 302 redirection

     

     

    Do you think that there'sanother (secure) way to do this?

     

     

    Many thanks for your help, I'm still thinkin' about this, the solution will be posted when was finished

     

     

    Regards!