Forum Discussion
martin_58353
Cirrus
CirrusiRule STREAM::expression is not working
Hello, I have an issue with some html code injection. Below is LTM config and iRule.
LTM config:
ltm virtual /IB/vs_george-uat2_8090 {
description "george-uat2"
destination /IB/10.219.232.25:8090
ip-protocol tcp
mask 255.255.255.255
pool /IB/pool_george-uat2
profiles {
/Common/serverssl-insecure-compatible {
context serverside
}
/Common/stream { }
/Common/tcp { }
/IB/http-response-rechunk { }
/IB/ssl_george-uat2 {
context clientside
}
}
rules {
/IB/irule_hsts_remove
/IB/irule_george_hook_v2
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
iRule:
when RULE_INIT {
Log debug messages to /var/log/ltm? 1=yes, 0=no
set static::rewrite_debug 1
}
when HTTP_REQUEST {
debug
if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: HTTP request to [HTTP::host][HTTP::uri]"}
STREAM::disable
remember URI
set uri [HTTP::uri]
set path [HTTP::path]
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
switch $path {
"/" {
if { [HTTP::header value Content-Type] contains "text/html" } {
HTTP::header remove "Accept-Encoding"
}
}
}
}
when HTTP_RESPONSE {
switch -glob $path {
"/" {
if { [HTTP::header value Content-Type] contains "text/html" } {
>> this is showed in /var/log/ltm
if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: JS Inject before"}
Inserting JavaScript
>> this is not inserted
STREAM::expression {@@@}
>> this is showed in /var/log/ltm
if {$static::rewrite_debug} {log local0. "[IP::client_addr]:[TCP::client_port]: JS Inject after"}
Enable the stream filter for this response only
STREAM::enable
}
}
}
}
when STREAM_MATCHED {
log local0. "Stream found: [IP::client_addr]:[TCP::local_port]: matched: [STREAM::match]"
}
I can see in $1 "JS Inject before / after" but no STREAM::expression is executed (I can't see no problem in the log, and no injected code is on client side (server response).
The first iRule looks irelevant:
ltm rule /IB/irule_hsts_remove {
when HTTP_RESPONSE {
set strictTransportSecurityHeader {Strict-Transport-Security}
HTTP::header remove $strictTransportSecurityHeader
}
I have solution!
REQUEST event has no Content-Type in HTTP header, therefore is condition always false. Here is a correct code:
when HTTP_REQUEST { set path [HTTP::path] switch $path { "/" { removed if { [HTTP::header value Content-Type] contains "text/html" } { HTTP::header remove "Accept-Encoding" removed } } } }
Stanislas_Piro2Cumulonimbus
Hi,
I guess the problem is the filter is too restrictive
switch $path { "/" { if { [HTTP::header value Content-Type] contains "text/html" } { HTTP::header remove "Accept-Encoding" } } }Try to remove accept-encoding header for all requests!
martin_58353I have solution!
REQUEST event has no Content-Type in HTTP header, therefore is condition always false. Here is a correct code:
when HTTP_REQUEST { set path [HTTP::path] switch $path { "/" { removed if { [HTTP::header value Content-Type] contains "text/html" } { HTTP::header remove "Accept-Encoding" removed } } } }- Stanislas_Piro2
I'm glad I provided the solution but I'm surprised you accept your own answer as solution.