For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Aug 20, 2013

How to mask HTTP Authorization header in ASM logs, similar to sensitive parameters?

The subject pretty much says it all. We use the "Sensitive Parameters" setting described in Chapter 9 of the "Configuration Guide for BIG-IP Application Security Manager" to ensure that passwords an...
ASM Advanced WAF
security
Torti_93733's avatar
Torti_93733
Icon for Nimbostratus rankNimbostratus
Aug 21, 2013

Hi,

 

there is no option to do this. A Header is no part of the body and it isn't a "classic http parameter". If you need such an option, you should open a feature request. If it is a problem, because you send the log files to another destination? Perhaps, you could do it there.

 

  • gowenfawr's avatar
    gowenfawr
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2013
    These logs are not shipped off, they're only available via the F5 ASM log interface. However, obviously there's value in obfuscating sensitive data there - otherwise the option to do it with URI parameters and XML body wouldn't be there. I have two services protected by the ASM today - one passes credentials as XML elements, the other is RESTful and uses HTTP basic authentication. The first is protected, the latter isn't - and while I trust my network admins, they have no need to know our customer's passwords. I will open a feature request - thank you for that suggestion.
  • gowenfawr's avatar
    gowenfawr
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2013
    That being said, any pointers to the appropriate method for filing a feature request? Is that a support account issue, or generally handled through DevCentral?
  • Torti_93733's avatar
    Torti_93733
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2013
    no you have to open a support case. There you can describe the problem and you can write "feature request" or something. There is no dedicated option for feature requests.
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2016

    Hello

    You can't do it using ASM (v12.1.0). The feature is not available as it is for "sensitive parameter" and based on my tests it wasn't possible to do it :

    1) Using "Data Guard" : Unfortunatly it masks only Credit Card numbers in request. As it is normaly used to protect "information leakage" (data in respond), this feature is enhanced and regexp detection is possible but only for response (not for requests).

    2) Using ASM irules EVENTs (ASM_REQUEST_VIOLATION / ASM_REQUEST_BLOCKING / ASM_REQUEST_DONE): not possible because these events are triggered after the log is written into the database.

    SOLUTION:

    Option 1: you are already authenticated and you don't need this header later

    From the "HTTP_REQUEST" event, simply remove the header "Authorization" (before doing so, verify that you don't need this header later because it will impact authentication with the server)

    if { [HTTP::header "Authorization"] contains "Basic" } {

    HTTP::header remove "Authorization"

    }

    Option 2: you are not authenticated yet and need this header after ASM validation

    In this case you must first store the header value in a variable, remove it from the request, and inject it before the request is sent to the serverside from "HTTP_REQUEST_SEND" event.

    Regards