Forum Discussion

Mohamed_Alfateh's avatar
Mohamed_Alfateh
Icon for Nimbostratus rankNimbostratus
Nov 17, 2013

IRULE to append HTML code to the response based on checking parameter in the request

Dears,

 

Wondering if F5 iRULE could be used to edit the web server's HTML response based on checking change to specific parameter in the users request.

 

This is allowed in Modsecurity using STREAM_OUTPUT_BODY

 

The case as following:

 

1- The user send request to the login page with username and password (and with hidden field called role with default value = 1)

 

2- F5 check if the role field (not equal 1) then forward the request to the web app and just append HTML code to the server response

 

3- if no changes to the role field then just forward the request without changes.

 

Regards

fateh

 

application delivery
design
devops
iRules
management
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 17, 2013

    Certainly doable, but without more information I couldn't give you an exact cut-and-paste iRule to use. Essentially though, you'd need to do two things:

    1. Detect when the role value is in the request that also POSTs the user credentials, and

    2. Insert some value into the response payload based on the above criteria. Here's an example of doing something like this:

      when HTTP_REQUEST {
    STREAM::disable
    HTTP::header remove "Accept-Encoding"

    if { ( [HTTP::method] equals "POST" ) and ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {
        HTTP::collect [HTTP::header Content-Length]
    }
}
when HTTP_REQUEST_DATA {
    if { [HTTP::payload] contains "role=" } {
        set role 1
    }
}
when HTTP_RESPONSE {
    if { ( [info exists role] ) and ( [HTTP::header value Content-Type] contains "text" ) } {
        unset role
        STREAM::expression "@@Some Text That Needs To Be Inserted If Role Is In Request@"
        STREAM::enable
    }
}

    Because this example is non-specific, allow me to elaborate on each section.

    when HTTP_REQUEST {
    STREAM::disable
    HTTP::header remove "Accept-Encoding"

    if { ( [HTTP::method] equals "POST" ) and ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {
        HTTP::collect [HTTP::header Content-Length]
    }
 }

    In this event, the first HTTP event that is triggered, we're going to do two things:

    1. Disable the STREAM profile and remove the Accept-Encoding header going to the server. More on this in a bit.

    2. Detect if this is a POST request for the auth page (the page that will receive the user credentials), and then collect the payload. The HTTP::collect command will trigger the HTTP_REQUEST_DATA event with the amount of data identified in the Content-Length header. One more important note here. This condition will be specific to your environment, so the URL will likely be different.

      when HTTP_REQUEST_DATA {
    if { [HTTP::payload] contains "role=" } {
        set role 1
    }
}

    In this event, you'll have complete, buffered access to the request payload. Here you'll perform whatever string function you need to determine if the role value is in the request, and then set a local variable. Again, this function will be specific to your environment and where the role value is in the payload.

    when HTTP_RESPONSE {
    if { ( [info exists role] ) and ( [HTTP::header value Content-Type] contains "text" ) } {
        unset role
        STREAM::expression "@[/body]@Some Text That Needs To Be Inserted If Role Is In Request[/body]@"
        STREAM::enable
    }
}

    If the local variable exists from the previous event, we know that this response immediately follows the role request. Ironically I suppose, a useful and very powerful function to write to the HTTP payload in iRules is also called STREAM. You'll want to add an empty STREAM profile to the VIP config for this to work. The STREAM::expression command essentially takes whatever it finds on the left, and replaces it with the value on the right, here delimited with ampersand signs. In this example, I'm replacing the end body tag in the HTML with some static content and a new end body tag. Again, this is probably not exactly what you need it to do, so your implementation will vary somewhat, but hopefully you get the idea. And finally, I unset the local variable so that subsequent responses in the same TCP session don't also get written to.

    And one final note, forum formatting didn't allow me to use the real end body tag syntax with less than and greater than signs, so I substituted square brackets for the example.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 19, 2013

    The above iRule should give you what you want, with some modifications. If you need help with a working version, I'd need some specifics, like:

     

    1. What is the exact value you're looking for in the request, and where you expect to see it (headers or payload, and in one type of request or all requests).

       

    2. What you need to add to the HTML response and where.

       

    3. And how often you need this data to be inserted (just the one time or in every response after trigger request).