Forum Discussion
Nishal_Rai
Cirrocumulus
CirrocumulusCan iRule mask the payload content on event logs of security
Hello Everyone,
Is it possible to mask the certain value of the request on the Application Security > Event Logs using iRule,
Since the application "Content-Type: application/octet-stream" and the payload consists some sensitive information of the user which are not associated with any parameters in the payload.
The requested URL is "/api/v1/client/client-auth/login" and I want to mask the content after first value (which is a cell number and follows a pattern) till the 15 characters, regardless of the character used.
The payload sample:
9844445555 password@123I tried with a below iRule script but the application stopped working:
when HTTP_REQUEST { if { [HTTP::uri] equals "/api/v1/client/client-auth/login" && [HTTP::header "Content-Type"] equals "application/octet-stream" } { set payload [TCP::payload] set pattern {(\d+).*?} if {[regexp -indices $pattern $payload match_indices]} { foreach {start_index end_index} $match_indices { set dynamic_length [expr {$end_index - $start_index - 10}] ; set masked_part [string repeat "*" $dynamic_length] set masked_payload [string replace $payload [expr $start_index] [expr $end_index - 1] $masked_part] set payload $masked_payload } TCP::payload replace 0 [string length $payload] $payload } } }
try REGSUB -all , something like this to mask you mobile umber or password shown in the HTTP responses
when HTTP_RESPONSE {
set clen [HTTP::header Content-Length]
HTTP::collect $clen
}when HTTP_RESPONSE_DATA {
regsub -all {<PhoneNumber>(.*?)</PhoneNumber>} [HTTP::payload] {<PhoneNumber>********</PhoneNumber>} fixeddata
log "Replacing payload with new data."
HTTP::payload replace 0 $clen $fixeddata
HTTP::release}
https://my.f5.com/manage/s/article/K16533717
https://wiki.tcl-lang.org/page/regsub
https://spy86.github.io/CheatSheetCollection/DevOpsServices/F5.html
- Nishal_Rai
Hi F5_Design_Engineer
Thanks for the resources and commands but, I need to mask the the payload on the HTTP_REQUEST so that the Application > Event Logs does not displays the credentials - input the user. Try this article:
Irule Check payload contains | DevCentral
https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module1/lab4.html
https://clouddocs.f5.com/api/irules/HTTP__payload.html
Use
HTTP::payload replace <offset> <length> <string>
HTTP::payload replace¶
- Replaces the amount of content that you specified with the argument, starting at with , adjusting the Content-Length header appropriately.
- To clarify, the length argument should be the length of original content to replace. In order to replace the entire payload, the offset should be 0 and the length should be the original size in bytes of the payload.
- Note that the argument will be interpreted as a byte array. If it is actually a UTF-8 string with multibyte characters, the output will not be what you expect. In order to prepare a UTF-8 string for use as input to HTTP::payload replace, you should first run ‘binary scan c* throwawayvariable’.
- Note: This function is callable, but will not work as expected in the HTTP_REQUEST_SEND event
Examples¶
when HTTP_RESPONSE { if {[HTTP::status] == 205}{ HTTP::collect [HTTP::header Content-Length] set clen [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { HTTP::respond 200 content [HTTP::payload] } when HTTP_RESPONSE_DATA { regsub -all "oursite" [HTTP::payload] "oursitedev" newdata log "Replacing payload with new data." HTTP::payload replace 0 $clen $newdata HTTP::release }
- Nishal_Rai
Thanks F5_Design_Engineer for the articles.
Most of the articles is all about the HTTP_RESPONSES, whereas I need to make the payload changes on the HTTP_REQUEST, and the key challenge is the unstructured format in between the username and password to be identified by the f5.
I will try to work on the application "Content-Type" instead, which seems to more easy because of the complexity on the iRule, mainly for identifying the pattern of the payloads (username and password).
