Forum Discussion
Don_22992
Nimbostratus
NimbostratusCustom Signature to Block Credit Card Numbers
Has anyone created a custom signature to block a request that contains Credit Card numbers in a parameter?
Our application does allow Credit Card numbers in certain pre-defioned fields. However, we need to block end-users from entering credit card numbers into inappropriate fields/parameters, such as "customer notes".
F5 support suggests a custom signature for this. Has anyone successfully tried this? We have no experience in custom signatures and are looking for some guidance.
Don
hoolioCirrostratus
Hi Don,
You could create a custom attack signature according to the steps in the ASM Config Guide for your version and apply it to parameter values. You can use a credit card regex like the one in this codeshare example:
http://devcentral.f5.com/wiki/default.aspx/iRules/CreditCardScrubberUsingStream.html
(?:3[4|7]\d{2})(?:[ ,-]?(?:\d{5}(?:\d{1})?)){2}|(?:4\d{3})(?:[ ,-]?(?:\d{4})){3}|(?:5[1-5]\d{2})(?:[ ,-]?(?:\d{4})){3}|(?:6011)(?:[ ,-]?(?:\d{4})){3}
Or you could try some of the more generic regexes found online:
http://www.regular-expressions.info/creditcard.html
http://www.code-magazine.com/article.aspx?quickid=0305041&page=5
Once you have the attack signature defined, you can disable it on the specific defined parameters which should allow credit card numbers for values.
If you have the ability to change the application, it would be a lot more efficient and effective to use clientside Javascript to check user input for strings which match a credit card number. You could then prompt the user to remove the cc from their input before submitting it. I wouldn't call this strict security enforcement as clientside Javascript validation wouldn't stop a user from entering the CC. However, it would prompt legitimate users to not enter sensitive data. And it would limit the chance that a user's non-malicious request would be blocked by ASM.
Aaron