Disable CC data for POST requests

Hi Bjoern,

 

 

I can't really see the value in only applying the attack signature to response content for non-POST requests. Chances are the only vulnerability within an application which would lead to credit cards being leaked in response content would be from POST requests. So why would you want to disable the check for POST requests and not all requests?

 

 

If you do want to do this an iRule and second policy would be an option. You could use the 'HTTP::class select' command (Click here) to select a second HTTP class for POST requests. Note the second HTTP class must also be added to the virtual server in order to select it using HTTP::class. Selecting a second virtual server would work, but unnecessarily add the need for a second virtual server.

 

 

Aaron

Hi Bjoern,

 

Like Hoolio said, most of the vulnerabilities today on the web are within POST requests, can you please share with us why would you want to do something like that?

Hi,

 

 

reason is, that in the reporting, the POST requests which include CC data is marked as "Information Leakage Detected".

 

 

thanks

 

Bjoern

Hi,

 

Are you sure that the website doesn't really leak credit cards numbers?

 

ASM validates that the string of numbers is actually a real credit card using a special algorithm.

 

Which ASM version you are using? 9.X or 10.x?

we using BIG-IP 9.4.6 Build 401.0 Final.

 

 

In this POST request, a customer send his CC data to buy something - the data he gets back is coded with stars

 

 

Here is a log extract - no, this CC is not real :-)

 

 

----Log-----

 

Full Request

 

POST /cgi-bin/payment.dll HTTP/1.1

 

Content-Length: 244

 

Content-Type: application/x-www-form-urlencoded

 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 

Accept-Language: de-de

 

Cookie: webshop=cmVzZXJ2YXRpb25fZHVyYXRpb249MTI0NzEzNDgxNDc0NyZnaWZ0d3JhcHBlcl9mb3JtYXR0ZWQ9MCUyQzAwJnNoaXBwaW5nPTUuOTAmdG90YWw9MTc0LjEwJmN1cnJlbmN5X3N5bWJvbD0lMjZldXJvJTNCJmNvdXBvbl9mb3JtYXR0ZWQ9MCUyQzAwJnRpY2tldHByaWNlPTE2OC4yMCZpbnN1cmFuY2VfZm9ybWF0dGVkPTAlMkMwMCZpZD1FVkU3NjAxMzEyNDcxMzMxMDFYJnRpY2tldHByaWNlX2Zvcm1hdHRlZD0xNjglMkMyMCZwcmljZT0xNjguMjAmY3VycmVuY3lfY29kZT1FVVImc2hpcHBpbmdfZm9ybWF0dGVkPTUlMkM5MCZ0b3RhbF9mb3JtYXR0ZWQ9MTc0JTJDMTAmcmFuZG9tPTc2MDEzJmluc3VyYW5jZT0wLjAwJnByaWNlX2Zvcm1hdHRlZD0xNjglMkMyMCZnaWZ0d3JhcHBlcj0wLjAwJmFtb3VudD0yJmNvdXBvbj0wLjAwJm1lcmtpdGVtcz0wJnJlZmVyZXI9aHR0cCUzQSUyRiUyRnN0YWdpbmcuZXZlbnRpbS5kZSUyRmNnaS1iaW4lMkZ0aW5mby5kbGwlM0ZhZmZpbGlhdGUlM0RldmU=; HAHAHA+Deutschland_time=04045; CTG=1247133160; WSS_GW=V1z%BC@%B@riQ; s_nr=1247128127629; TSb9eef2=3f02746cdc4e67515cea09c98b1dccc048635239d4b8ba714a55bdc9; CP=null*

 

Referer: https://staging.testland.ha/cgi-bin/customer.dll

 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

 

X-Akamai-CONFIG-LOG-DETAIL: true

 

TE: chunked;q=1.0

 

Connection: TE

 

Akamai-Origin-Hop: 1

 

Via: 4.0 asi_server, 1.0 akamai.net(ghost) (AkamaiGHost)

 

Accept-ESI: 1.0

 

X-Forwarded-For: 127.0.0.1

 

Host: myhost.test.nowhere

 

Pragma: no-cache

 

Cache-Control: no-cache, max-age=0

 

Connection: keep-alive

 

Number: 88.79.247.30

 

akamaisession: candidate

 

Letter: second

 

X-Forwarded-For: 88.221.4.9

 

 

&action=payment&errordoc=globalError&kreditkarteInhaber=Fred%20Test&sent.y=0&sent.x=0&kreditkarteNummer=6677880000000004&sent=sent&affiliate=EVE&zahlungsart=2&kkMonth=02&kkYear=2012&fun=customer&nextdoc=summary&doc=payment&kreditkarteCvc=123

 

 

+ - Response

 

Response not found

 

 

Referrer Object

 

No records to display.

 

 

Cookie Name Cookie Value Reason

 

 

Parameter Name=Value Parameter Violations Parameter Level

 

No records to display.

 

 

XML Violation XML Buffer Description

 

No records to display.

 

 

Signature Name Signature ID Learn Alarm Block Context

 

No records to display.

 

 

Evasion Technique Detected Context

 

No records to display.

 

 

Pattern Context

 

Credit Card NumberkarteNummer" value="6677880000000004" />

 

 

HTTP Protocol Compliance

 

 

Support IDTime

 

170052960248913480132009-07-09 11:53:21

 

 

Hi,

 

How the response look like?

 

In version 10 you can configure exceptions for the DataGuard using a regexp, however, I suggest to be careful to do so in your case.

I suggest to be careful since it seems that in your case, there is a high probability that teh application leaks credit cards numbers.

The response:

 

 

Kreditkartentyp VISA

 

 

Kreditkarten-Nr. ************0004

 

 

Gültigkeit 02/2014

 

 

For me, it looks like that the WAF interpret the POST data as the "Information Leakage Detected" and not the response of this POST.

 

This does not make sense, the webserver need the complete data for the payment - no data, no selling :-)

 

 

DataGuard is only working on response data. Please look at the responses of that page.

 

The DataGuard doesn't touch or change anything in the request. It simply makes sure that sensitive information isn't leaked in responses.