Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Apr 15, 2024

Can iRule mask the payload content on event logs of security

Hello Everyone, 
 
Is it possible to mask the certain value of the request on the Application Security > Event Logs using iRule,
 
Since the application "Content-Type: application/octet-stream" and the payload consists some sensitive information of the user which are not associated with any parameters in the payload.
 
 
 
The requested URL is "/api/v1/client/client-auth/login" and I want to mask the content after first value (which is a cell number and follows a pattern) till the 15 characters, regardless of the character used.

The payload sample:
 
9844445555 password@123
 
I tried with a below iRule script but the application stopped working:
when HTTP_REQUEST { if { [HTTP::uri] equals "/api/v1/client/client-auth/login" && [HTTP::header "Content-Type"] equals "application/octet-stream" } { set payload [TCP::payload] set pattern {(\d+).*?} if {[regexp -indices $pattern $payload match_indices]} { foreach {start_index end_index} $match_indices { set dynamic_length [expr {$end_index - $start_index - 10}] ; set masked_part [string repeat "*" $dynamic_length] set masked_payload [string replace $payload [expr $start_index] [expr $end_index - 1] $masked_part] set payload $masked_payload } TCP::payload replace 0 [string length $payload] $payload } } }

 



  • try REGSUB -all , something like this to mask you mobile umber or password shown in the HTTP responses

     

    when HTTP_RESPONSE {
        set clen [HTTP::header Content-Length]
        HTTP::collect $clen
    }

    when HTTP_RESPONSE_DATA {

        regsub -all {<PhoneNumber>(.*?)</PhoneNumber>} [HTTP::payload] {<PhoneNumber>********</PhoneNumber>} fixeddata
        log "Replacing payload with new data."
        HTTP::payload replace 0 $clen $fixeddata
        HTTP::release

    }

     

    https://my.f5.com/manage/s/article/K16533717

    https://wiki.tcl-lang.org/page/regsub

    https://spy86.github.io/CheatSheetCollection/DevOpsServices/F5.html

     

     

     

     

  • Hi F5_Design_Engineer 


    Thanks for the resources and commands but, I need to mask the the payload on the HTTP_REQUEST so that the Application > Event Logs does not displays the credentials - input the user.  

  • Try this article:

     

    Irule Check payload contains | DevCentral

    https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module1/lab4.html

    https://clouddocs.f5.com/api/irules/HTTP__payload.html

    Use

     

    HTTP::payload replace <offset> <length> <string>

    HTTP::payload replace

    • Replaces the amount of content that you specified with the argument, starting at with , adjusting the Content-Length header appropriately.
    • To clarify, the length argument should be the length of original content to replace. In order to replace the entire payload, the offset should be 0 and the length should be the original size in bytes of the payload.
    • Note that the argument will be interpreted as a byte array. If it is actually a UTF-8 string with multibyte characters, the output will not be what you expect. In order to prepare a UTF-8 string for use as input to HTTP::payload replace, you should first run ‘binary scan c* throwawayvariable’.
    • Note: This function is callable, but will not work as expected in the HTTP_REQUEST_SEND event

     

    Examples

    when HTTP_RESPONSE { if {[HTTP::status] == 205}{ HTTP::collect [HTTP::header Content-Length] set clen [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { HTTP::respond 200 content [HTTP::payload] } when HTTP_RESPONSE_DATA { regsub -all "oursite" [HTTP::payload] "oursitedev" newdata log "Replacing payload with new data." HTTP::payload replace 0 $clen $newdata HTTP::release }

  • Thanks F5_Design_Engineer for the articles. 

    Most of the articles is all about the HTTP_RESPONSES, whereas I need to make the payload changes on the HTTP_REQUEST, and the key challenge is the unstructured format in between the username and password to be identified by the f5. 


     
    I will try to work on the application "Content-Type" instead, which seems to more easy because of the complexity on the iRule, mainly for identifying the pattern of the payloads (username and password).