For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jose_Peter_2424's avatar
Jose_Peter_2424
Icon for Nimbostratus rankNimbostratus
Feb 06, 2016

Hi All,

Finally i managed to find the iRule 🙂 Here it is:

when HTTP_REQUEST {
  Check for post requests to the URI
    if {[HTTP::uri] ends_with "/Login" && [HTTP::method] eq "POST"}{
         Collect up to 1Mb of request content
      if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } {
            set content_length [HTTP::header "Content-Length"]
      } else {
            set content_length 1048576
      }
       if { $content_length > 0 } {
             HTTP::collect $content_length
      }
   }
}
when HTTP_REQUEST_DATA {
   Find the username and password from the collected payload
                 set username [findstr [HTTP::payload] username 11 \"]
                 set password [findstr [HTTP::payload] password 11 \"]
 HTTP::release
}
when ACCESS_SESSION_STARTED {
 if { [ info exists username ] } {
       ACCESS::session data set session.logon.last.username $username
       ACCESS::session data set session.logon.last.password $password
 }
}
  • AN's avatar
    AN
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2017

    I tried above iRULE in my case it was clientless... Following iRule I have:

    when HTTP_REQUEST {

    switch [HTTP::method] { "COPY" - "MOVE" { Replace Destination header with http if using SSL Offloading if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]] }

            HTTP::disable
    }
    "MKCOL" -
    "PROPPATCH"
    {
        HTTP::disable
    }

    } if { ( [HTTP::uri] contains "/abc/system.svc") || ( [HTTP::uri] contains "/abc/xyz/iSite/index.htm") || ( [HTTP::uri] contains "/xyz/Client/abc.application")} { HTTP::header insert "clientless-mode" 1 if { ( [HTTP::method] equals "POST" ) and ([HTTP::header value Content-Type] contains "soap+xml" ) } { if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0 } { HTTP::collect $content_length } }

    } }

    when HTTP_REQUEST_DATA { set username [findstr [HTTP::payload] 11 \"] set password [findstr [HTTP::payload] password= 11 \"] HTTP::release }

    when ACCESS_SESSION_STARTED { if { [info exists username] } { ACCESS::session data set session.logon.last.username $username } if { [info exists password] } { ACCESS::session data set session.logon.last.password $password } }

    I have and Password in multiple place in xml. I found in my packet capture it stuck very first time it find variable and password and send 302 /my.policy. Why it doesn't go through whole xml first and capture credential and go to APM,,,