HTTP header security concern
Greetings, we are currently running BIG-IP 10.2.2 Build 763.3 Final. One of our software engineers sent me the email below:
" I have concerns that the F5 could potentially allow certain HTTP headers to be passed through to our infrastructure in a way that could allow a hacker to breach our security."
"In short, our network service applications look at several different HTTP header values to find identifying information about the caller. If the F5 allows these fields to come in from the outside world, then a hacker could alter the requesting chain or store ID…or in a worst case scenario, spoof the actual certificate information coming from the SSL certificate (there are old header values that the app looks at the wouldn’t necessarily be overwritten by security information coming from the incoming SSL certificate)."
Could one of you sharp gentlemen kindly supply me with an answer for him? Point me to documentation?
We use the iRule below to inject the ssl cert subject into the header, I believe this is what he is referring to:
when CLIENTSSL_CLIENTCERT {
set cert_subject [X509::subject [SSL::cert 0]]
if { $cert_subject == "" }
{ log "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
when HTTP_REQUEST {
if { [info exist cert_subject] } {
HTTP::header insert SSLClientCertSubject $cert_subject
return
}
}
Any response is greatly appreciated.