Forum Discussion

David_Sherman_2's avatar
David_Sherman_2
Icon for Nimbostratus rankNimbostratus
Oct 31, 2006

Header sanitize

The following IRule was working.     when HTTP_REQUEST {   set OrgAdr [IP::remote_addr]:[TCP::remote_port]   set DestServer [IP::local_addr]   HTTP::header sanitize Host + Content-T...
application delivery
dev
devops
iRules
Chris_Hallenbec's avatar
Chris_Hallenbec
Icon for Nimbostratus rankNimbostratus
Nov 15, 2006
Along the lines of this question, I have a problem I am trying to solve. "HTTP::header remove" and "HTTP::header replace" appear to only be designed to remove the last occurrence of a given header, but a malicious person could pass multiple of the same header to thwart the removal/replacement.

 

 

Does header sanitize dutifully remove ALL headers except those explicitly listed?

 

 

 

 

 

An example:

 

 

Assuming you have an iRule that plucks data from the session (SSL data?) and places it into a header to pass to the backend (iRule is configured to affect the "server instance"), what happens if the end-user/client sends the same intended header with a falsified value -- use a legit client SSL cert to terminate the connection on the F5, then spoof the header containing the SSL session data to perform an action as another user?

 

 

Asnwer: Bad things. The end-user/client could overwrite or spoof other data. The solution would *seem* to be to use "HTTP::header replace []", but it only replaces the last occurrence of that header not ALL occurrences!

 

 

I'm sure I'm missing something simple on how to wipe out all client-supplied occurences with an appropriate iRule applied to the "client instance."