Forum Discussion

Andre_Padua_397's avatar
Andre_Padua_397
Historic F5 Account
Feb 11, 2008

Grabbing POST Parameters

Hi All,

 

 

My first post to the form is about, well, POST.

 

 

I'm trying to grab POST parameters from a specific URL. For some reason, this isn't really happening. This is the code I initially used, and it works (thanks, devcentral!)

 

 

 

when HTTP_REQUEST {
set clen [HTTP::header Content-Length]
}
if { $clen > 0 } {
HTTP::collect $clen
}

 

 

Then I decided to inovate and i changed the code to this:

 

 

 

when HTTP_REQUEST {
if {([HTTP::uri] contains "ForumLogin.aspx") && ([HTTP::method] contains "POST")} {
set clen [HTTP::header Content-Length]
}
if { $clen > 0 } {
HTTP::collect $clen
}

 

 

And not i don't capture anything. Can anyone think of what makes this happen? I know I'm posting to this URL.

 

 

 

Thanks,

 

 

Andre
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2008
    Hi,

    Is the client sending URL encoded or multipart/form-data POST parameters?

    After collecting, how are you logging the payload? I assume you're logging the payload in the HTTP_REQUEST_DATA event, using HTTP::payload?

    Can you capture a tcpdump of a request and view the TCP stream in Wireshark to see the exact HTTP headers and content you're sending?

    Here is an example of how to collect the HTTP payload:

    
when HTTP_REQUEST {
   log local0. "path: [HTTP::path]"
   if { [HTTP::method] equals "POST" and [string tolower [HTTP::path]] ends_with "forumlogin.aspx"} {
      if {[HTTP::header value "Content-Length"] > 0} {
         log local0. "Found Content-Length: [HTTP::header value Content-Length]"
         set content_length [HTTP::header "Content-Length"]
      } else {
         set content_length 10
      }
      HTTP::collect $content_length
   }
}
when HTTP_REQUEST_DATA {
   log local0. "payload length: [HTTP::payload length]"
   log local0. "payload: [HTTP::payload]"
}

    Aaron
  • Andre_Padua_397's avatar
    Andre_Padua_397
    Historic F5 Account
    Feb 11, 2008
    Hi Hoolio,

     

     

    Yes, i am using HTTP_REQUEST_DATA to check the payload. Here's what the POST looks like from HTTPWatch (Wireshark won't work since it's SSL-encoded. I could run ssldump but it seems that all relevant info is here:

     

     

    POST /ForumLogin.aspx?Logout=-3&CodCliente=80000 HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://www.test.com.br/ForumLogin.aspx?Logout=-3&CodCliente=80000
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.test.com.br
Content-Length: 777
Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=2oxcig45o1ixborbrefw3a45; persist_titulo=100772032.20480.0000
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTY4MDExMzA3MQ9kFgQCAQ9kFgICAQ8PFgQeCENzc0NsYXNzZR4EX...

     

     

    I'm interested in the EVENTTARGET, EVENTARGUMENT AND VIEWSTATE data.

     

     

    I will try to incorporate your code into my iRule and see what happens.

     

     

     

    Thanks so much,

     

     

    Andre
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2008
    What do you want to do with the parameters once you find them? If you want to remove them, you could use a stream profile and STREAM::expression to do this. If you want to decode/modify/encode them, then you'd need to collect the payload as you're trying now.

     

     

    Aaron