Forum Discussion

Jason_105955's avatar
Jason_105955
Icon for Nimbostratus rankNimbostratus
Feb 26, 2008

Obfuscate URI's?

Greetings!     Has anyone any ideas on ways to create an iRule that will obfuscate URI's used (and returned in the HTTP payload)?     We've inherited a problem with a very badly written ap...
application delivery
dev
devops
iRules
Nicolas_Menant's avatar
Nicolas_Menant
Icon for Employee rankEmployee
Feb 27, 2008
Hi,

 

 

I'm afraid it's not really be possible to protect this

 

 

I explain: since the parameters are within the URI it means the form uses GET method to send the data.

 

 

Then between the client and the BIGIP, the URI will always contain the different parameter and their value, you won't be able to hide it since it is send by the client.

 

 

You may want to rename the parameter but it would be useless since the client will know what it is in the URI based on the value that will be assigned to each parameter.

 

 

Ex: let's say you hash in the form received by the client the username and password header. When the client will enter his credential he will see something like this in his browser:

 

http://www.test.com/index.php?sidjfsoidjf=thisistheuser&sfjsdoijfoif=thisismypassword

 

 

So the client will be able to know which parameter to modify after.

 

 

If you want to hide the parameter from the URI, you will need to use POST method and it will only hide the data into the http payload. If the client is smart he'll be able to find those data and modify it then using software like paros.

 

 

In your case you won't be able to do anything with iRules only.

 

 

HTH