Forum Discussion

Dave_Pisarek_25's avatar
Dave_Pisarek_25
Icon for Nimbostratus rankNimbostratus
Mar 17, 2019

irule or ASM Dataguard to mask sensitive data.

I am trying to mask specific data on the response from an application. In the curl output below you can see the version of the app running:

 

GET /messenger/ HTTP/1.1 Host: xxxxx User-Agent: curl/7.54.0 Accept: /

 

< HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < X-Request-ID: xxxxxx < Content-Type: application/json; charset=utf-8 < Content-Length: 19 < Date: Sun, 17 Mar 2019 14:21:03 GMT < Connection: keep-alive < * Connection 0 to host xxxxxxx left intact {"version":"3.4.4"}

 

I created the below regex and added it to dataguard but it is not masking the data:

 

/?:{\"version\":\"3.4.4\"})/

 

ASM settings: Block is enabled on the policy for Dataguard.

 

 

I have also tried the url /messenger/ in the list and nothing. What am I missing here? Also is there an irule to do the same as Dataguard?

 

  • I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

    I put the string in the custom pattern exactly as it shows up in the response and it masks it:

    HTTP/1.1 200 OK
    Date: Sun, 17 Mar 2019 16:14:09 GMT
    Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
    ETag: "2a-5844c365dbc0c"
    Accept-Ranges: bytes
    Content-Length: 42
    Content-Type: application/json
    Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly
    
    {"some-data": "here"}
    *******************
    

    Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

  • Here's an iRule to do that specific string, but it probably wouldn't scale too well if you have a lot of other strings to replace:

    when HTTP_REQUEST {
       Disable the stream filter for client requests
      STREAM::disable
    }
    
    when HTTP_RESPONSE {
       Disable the stream filter for server responses
      STREAM::disable
    
       Enable the stream filter for text responses only
      if {[HTTP::header value Content-Type] contains "json"}{
    
         Replace 'old_text' with 'new_text'
        STREAM::expression {@{"version":"3.4.4"}@{"version":"x.x.x"}@}
    
         Enable the stream filter
        STREAM::enable
      }
    }
    

    And some testing:

    HTTP/1.1 200 OK
    Date: Sun, 17 Mar 2019 15:56:18 GMT
    Server: Apache/2.4.34 (Unix)
    Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
    ETag: "2a-5844c365dbc0c"
    Accept-Ranges: bytes
    Content-Length: 42
    Content-Type: application/json
    
    {"some-data": "here"}
    {"version":"3.4.4"}
    

    After the rule is applied:

    HTTP/1.1 200 OK
    Date: Sun, 17 Mar 2019 15:56:54 GMT
    Server: Apache/2.4.34 (Unix)
    Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
    ETag: "2a-5844c365dbc0c"
    Accept-Ranges: bytes
    Content-Type: application/json
    Transfer-Encoding: chunked
    
    {"some-data": "here"}
    {"version":"x.x.x"}
    
  • I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

    I put the string in the custom pattern exactly as it shows up in the response and it masks it:

    HTTP/1.1 200 OK
    Date: Sun, 17 Mar 2019 16:14:09 GMT
    Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
    ETag: "2a-5844c365dbc0c"
    Accept-Ranges: bytes
    Content-Length: 42
    Content-Type: application/json
    Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly
    
    {"some-data": "here"}
    *******************
    

    Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

    • Dave_McCauley_3's avatar
      Dave_McCauley_3
      Icon for Cirrostratus rankCirrostratus

      A side note, this would probably break anything calling that API that is trying to parse that as JSON. The iRule approach might be better since you can keep it as well-formatted JSON and not be at the mercy of ASM's masking. Potentially the PCRE expression could match the whole string but just replace the version part and keep the quotes.