For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Erlend_123973's avatar
Erlend_123973
Icon for Nimbostratus rankNimbostratus
Sep 16, 2014

How to securely present user supplied data in HTTP::respond NNN content

When i write iRules, I often use something like HTTP::respond 403 content "Error: variable $somevar not in datagroup" My concern here is, $somevar is userdefined data - often a part of HTTP::pa...
application delivery
devops
iRules
LTM
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Sep 16, 2014

I'm no security expert but if the value is user supplied the user would be only be 'attacking' themselves as only they would get this response?

 

If the user was 'innocent' and had clicked a malicious link to cause this, why would the attacker use this method, the original link would have sufficed?

 

You can use URI::decode to expose some practises and also split the $somevar data in some way with spaces (HTTP::path 'space' HTTP::uri) so the link isn't actually 'clickable'.