Forum Discussion

Jason_105955's avatar
Jason_105955
Icon for Nimbostratus rankNimbostratus
Feb 26, 2008

Obfuscate URI's?

Greetings!     Has anyone any ideas on ways to create an iRule that will obfuscate URI's used (and returned in the HTTP payload)?     We've inherited a problem with a very badly written ap...
application delivery
dev
devops
iRules
Lee_Orrick_5554's avatar
Lee_Orrick_5554
Historic F5 Account
Feb 27, 2008
I agree with nmenant, and I do not see a way you cannot accomplish what you want to in the manner you want.

 

 

However, it might be possible to change the form method from GET to POST in the HTML page as it is sent to the client. This would force the POST behavior which is what you really want. It looks like you are using HTTPS, so the username/password are not longer in the clear.

 

 

You could use something similar to the SSN Scrubbing rule in the Code Share section of the site.

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/SocialSecurityNumberScrubbing.html

 

 

Instead of looking for SSNs in the response you would look for method=get and replace it with method=post.

 

 

When the client sent the POST to login, you know the URI they will be posting to and it would be a matter of extracting the POST data and crafting the GET URI the back end node expects.

 

 

It is at least worth considering.

 

 

AFA you data leakage, you might consider taking a look at our ASM product. It is specifically designed to prevent those kinds of attacks.