For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eLeCtRoN's avatar
eLeCtRoN
Icon for Cirrus rankCirrus
Feb 06, 2023

F5 iRule for FormBased Credentials drop or rewrite

Hello, we have a WebService with a form based auth. there is a login for the user "sysadmin" I want to block the login in a from that he is telling the user the password is wrong. Because we can not...
application delivery
cloud
devops
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 08, 2023

Hi EleCtroN,

i guess it would be much easier to assign a 100 chars password to the sysadmin? 

Rewriting  the password for the sysadmin account is slightly more difficult than just rewriting the username of the sysadmin account. To rewrite the password you would need to evaluate the username and the password values and the username rewrite just cares for the username itself. This makes it much easier and also more immune to certain evasion techniques.

 

You may either use a [HTTP::collect] or a stream profile based approach to either collect and parse or stream replace contents of the POST request destined to the login page. 

To help you with this, you would need to use the developer tools of your browser or HTTP-Proxies like Fiddler to understand the login process. You need to know where the POST request is send to, and which params are used to submit the username and password value. Its also crucial to understand if the username must be used case-sensitive, or if the username supports inCaSeSenSiTive formats too.

Based on those informations we could help you to provide an iRule.

Cheers, Kai  

eLeCtRoN's avatar
eLeCtRoN
Icon for Cirrus rankCirrus
Feb 14, 2023

Hi Kai_Wilke,

i guess it would be much easier to assign a 100 chars password to the sysadmin?

* it is not in our hand, we want to protect from brute force attacks from external, the sysadmin must be still available because for internal login.

You may either use a [HTTP::collect] or a stream profile based approach to either collect and parse or stream replace contents of the POST request destined to the login page.

* the login page is form based and it is a post request !

To help you with this, you would need to use the developer tools of your browser or HTTP-Proxies like Fiddler to understand the login process. You need to know where the POST request is send to, and which params are used to submit the username and password value. Its also crucial to understand if the username must be used case-sensitive, or if the username supports inCaSeSenSiTive formats too.

* it is a default from based auth, just like an outlook web access from based, the username must be used case-sensitive thats always the same with a default frorm based auth, sysadmin or Sysadmin has to be work !

* If the password it to heavy to change, how about the username ? If I will login vom external with the sysadmin then we change the username sysadmin to hansdampf an the login is not possible for the sysadmin and the systems is telling password or username is worng !

kind regards

(Edited by Leslie Hubertus to tag Kai)