For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shane_Terrick_9's avatar
Shane_Terrick_9
Icon for Nimbostratus rankNimbostratus
Dec 18, 2012

iRule to block blank username/password

Newbie to iRules here so please go easy.

 

 

I have been assigned a project to work with one of our applications that now wants to load balance thru our F5 (Gtm WIP and LTM VIP), but they also discovered a security issue with their application. When accessing the appliarion it normally passes thru the users credentials and then if authorized the user gets the requested info, thru the following piece of code

 

 

//string dbMotionUsername = ConfigurationManager.AppSettings["dbMotionUsername"];

 

//string dbMotionPassword = ConfigurationManager.AppSettings["dbMotionPassword"];

 

//string dbMotionRole = ConfigurationManager.AppSettings["dbMotionRole"];

 

//string domain = ConfigurationManager.AppSettings["domain"];

 

 

//dbMotion.Security.DbmPrincipal principal = dbm.securityhelper.AuthenticationHelper.GetdbMotionPrincipal(dbMotionUsername, domain, dbMotionPassword, dbMotionRole);

 

//DbmSecurityManager.CurrentPrincipal = principal;

 

 

 

BUT if this code is commented out or the credentials are left blank the requested info is still being returned.

 

 

I was wondering if there is an iRule out there or if someone had a similiar issue they resolved thru an iRule that they woudl liek to share.

 

I am thinking (not sure how to execute) but basically somehow the iRule can find out/verify that credentials are passed and if not terminate the transaction?

 

Thanks in advance for any help.

 

application delivery
dev
devops
iRules

3 Replies

  • El_Jefe's avatar
    El_Jefe
    Icon for Nimbostratus rankNimbostratus
    Dec 18, 2012
    Shane - With what you've given us, I can't really tell what you're doing. If you're using HTTP Basic Auth it could be as simple as -

     

    You basically have to parse the username and PW, and figure out when null values come in, and then either drop the request or reject it.

     

     

    when HTTP_REQUEST {

     

    log local0. "[IP::client_addr]:[TCP::client_port]: User-Agent: [string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]"

     

    if { [string tolower [HTTP::username]] eq ""} {

     

    log local0. "[IP::client_addr]:[TCP::client_port]: Rejected request"

     

    reject

     

    }

     

    }

     

     

    FYI - this is just an example off the top of my head. Haven't even checked syntax.
  • Shane_Terrick_9's avatar
    Shane_Terrick_9
    Icon for Nimbostratus rankNimbostratus
    Dec 18, 2012
    Basically trying to block requests that don't have a usrname or password. Hope that helps clear it up. Again. I am not very familiar with the app side that is requesting this and even less familiar with crafting iRules.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 18, 2012
    Shane, unless you can tell us how the credentials are provided (HTTP Auth headers, in the URI, in the payload, whatever) then we'll not be able to help much. Can you app guys provide any more information? If not, could you do a tcpdump of a valid and invalid 'session' and do some analysis? If you need help with tcpdump, post back.