Forum Discussion
irule or ASM Dataguard to mask sensitive data.
I am trying to mask specific data on the response from an application. In the curl output below you can see the version of the app running:
GET /messenger/ HTTP/1.1 Host: xxxxx User-Agent: curl/7.54.0 Accept: /
< HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < X-Request-ID: xxxxxx < Content-Type: application/json; charset=utf-8 < Content-Length: 19 < Date: Sun, 17 Mar 2019 14:21:03 GMT < Connection: keep-alive < * Connection 0 to host xxxxxxx left intact {"version":"3.4.4"}
I created the below regex and added it to dataguard but it is not masking the data:
/?:{\"version\":\"3.4.4\"})/
ASM settings: Block is enabled on the policy for Dataguard.
I have also tried the url /messenger/ in the list and nothing. What am I missing here? Also is there an irule to do the same as Dataguard?
I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?
I put the string in the custom pattern exactly as it shows up in the response and it masks it:
HTTP/1.1 200 OK Date: Sun, 17 Mar 2019 16:14:09 GMT Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT ETag: "2a-5844c365dbc0c" Accept-Ranges: bytes Content-Length: 42 Content-Type: application/json Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly {"some-data": "here"} *******************
Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.
- Dave_McCauley_3Cirrostratus
Here's an iRule to do that specific string, but it probably wouldn't scale too well if you have a lot of other strings to replace:
when HTTP_REQUEST { Disable the stream filter for client requests STREAM::disable } when HTTP_RESPONSE { Disable the stream filter for server responses STREAM::disable Enable the stream filter for text responses only if {[HTTP::header value Content-Type] contains "json"}{ Replace 'old_text' with 'new_text' STREAM::expression {@{"version":"3.4.4"}@{"version":"x.x.x"}@} Enable the stream filter STREAM::enable } }
And some testing:
HTTP/1.1 200 OK Date: Sun, 17 Mar 2019 15:56:18 GMT Server: Apache/2.4.34 (Unix) Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT ETag: "2a-5844c365dbc0c" Accept-Ranges: bytes Content-Length: 42 Content-Type: application/json {"some-data": "here"} {"version":"3.4.4"}
After the rule is applied:
HTTP/1.1 200 OK Date: Sun, 17 Mar 2019 15:56:54 GMT Server: Apache/2.4.34 (Unix) Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT ETag: "2a-5844c365dbc0c" Accept-Ranges: bytes Content-Type: application/json Transfer-Encoding: chunked {"some-data": "here"} {"version":"x.x.x"}
- Dave_McCauley_3Cirrostratus
I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?
I put the string in the custom pattern exactly as it shows up in the response and it masks it:
HTTP/1.1 200 OK Date: Sun, 17 Mar 2019 16:14:09 GMT Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT ETag: "2a-5844c365dbc0c" Accept-Ranges: bytes Content-Length: 42 Content-Type: application/json Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly {"some-data": "here"} *******************
Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.
- Dave_McCauley_3Cirrostratus
A side note, this would probably break anything calling that API that is trying to parse that as JSON. The iRule approach might be better since you can keep it as well-formatted JSON and not be at the mercy of ASM's masking. Potentially the PCRE expression could match the whole string but just replace the version part and keep the quotes.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com