Forum Discussion

Dave_Pisarek_25's avatar
Dave_Pisarek_25
Icon for Nimbostratus rankNimbostratus
Mar 17, 2019

irule or ASM Dataguard to mask sensitive data.

I am trying to mask specific data on the response from an application. In the curl output below you can see the version of the app running:   GET /messenger/ HTTP/1.1 Host: xxxxx User-Agent: curl...
application delivery
ASM Advanced WAF
iRules
security
  • Dave_McCauley_3's avatar
    Dave_McCauley_3
    Mar 17, 2019

    I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

    I put the string in the custom pattern exactly as it shows up in the response and it masks it:

    HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 16:14:09 GMT
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json
Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly

{"some-data": "here"}
*******************

    Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

Dave_McCauley_3's avatar
Dave_McCauley_3
Icon for Cirrostratus rankCirrostratus
Mar 17, 2019

Here's an iRule to do that specific string, but it probably wouldn't scale too well if you have a lot of other strings to replace:

when HTTP_REQUEST {
   Disable the stream filter for client requests
  STREAM::disable
}

when HTTP_RESPONSE {
   Disable the stream filter for server responses
  STREAM::disable

   Enable the stream filter for text responses only
  if {[HTTP::header value Content-Type] contains "json"}{

     Replace 'old_text' with 'new_text'
    STREAM::expression {@{"version":"3.4.4"}@{"version":"x.x.x"}@}

     Enable the stream filter
    STREAM::enable
  }
}

And some testing:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 15:56:18 GMT
Server: Apache/2.4.34 (Unix)
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json

{"some-data": "here"}
{"version":"3.4.4"}

After the rule is applied:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 15:56:54 GMT
Server: Apache/2.4.34 (Unix)
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Type: application/json
Transfer-Encoding: chunked

{"some-data": "here"}
{"version":"x.x.x"}