Forum Discussion

ramann_75062's avatar
ramann_75062
Icon for Nimbostratus rankNimbostratus
Jun 15, 2009

Disable Credit Card Number Check for a parameter

Hi@all,

 

 

in some pages, a session id is included in the HTML code or in the URL.

 

 

Examples:

 

 

name="id" value="ABC376151241604674X" />

 

OR

 

 

/customer.dll?id=ABC376151241604674X&fun=customer&a

 

 

 

Now we have the problem, that the ASM mark them as "Information leakage detected"

 

 

Is there a way to exclude this parameter from this kind of check?

 

 

 

Thanks

 

Bjoern

 

 

 

 

app sec
BIG-IP Access Policy Manager (APM)
security
  • Benjamin_9036's avatar
    Benjamin_9036
    Historic F5 Account
    Jun 15, 2009
    Hey Bjoern,

     

     

    There isn't really a way to exclude a single parameter, per se, especially in versions prior to version 10.0.0. In 9.4.x versions you may be able to disable the system's default 'Credit Card Numbers' check and then craft your own with a negative lookbehind and expressions to match CC numbers. Of course, there may be more expressions to match CCNs in the default bundle that you can dig up published around, but that is the only method I can fathom to do this prior to version 10.

     

     

    For more info on lookarounds, check here:

     

     

    http://www.perl.com/doc/manual/html/pod/perlre.html

     

     

    In version 10 and later, though, there are "Exception Patterns" which you can use to create patterns to allow, rather than trying to recreate the default bundle of CCN expressions - each with the lookbehind exception applied to it. This is probably the more graceful (not to mention secure) solution. An exception pattern to match the "customer.dll?id=" string and another to match the 'name="id" value="' string should let these instances through.

     

     

    Cheers!

     

     

    // Ben