Forum Discussion
Marc_Bergeron_5
Nimbostratus
NimbostratusProcess POST data
I'm looking to patch a security issue in our application until our developers have time to do their thing, and I'm hoping to do it with iRules.
What I have is a log-in page, login.asp, that doesn't validate any of its 3 fields: username, password, email. I successfully made a rule to remove brackets, slashes, and whatever else from the POST data, then realized that users may have these characters in their passwords. This example removes <, >, or % from posts and replaces them with NULL, in turn invaliding their attempt:
when HTTP_REQUEST_DATA {
if {[string tolower [HTTP::path]] contains "login.asp"} {
set newPayload [string map {< "" > "" % ""} [HTTP::payload]]
HTTP::payload replace 0 [HTTP::payload length] $newPayload
HTTP::release
log local0. "new payload: $newPayload"
}
}
In order to ignore the password field, I figure I need to parse the POST data, scrub all submit data except for the Password, then reassemble it back into HTTP:payload. Is there a simple way to do this. My typical payload looks like this:
redirect=®_id=0&ie55sp1=false&membername=marcb&password=marcb
6 Replies
Kirk_Bauer_1018Altostratus
I think you will have to do it that way unfortunately and I don't have any examples. If you have a 6400 or higher you could always add the Application Security Manager which is made to do these kinds of things.- Maybe this?
when HTTP_REQUEST_DATA { if {[string tolower [HTTP::path]] contains "login.asp"} { save original password value set pw [findstr [HTTP::payload] "&password=" 10 &] strip special characters from entire payload set newPayload [string map {< "" > "" % ""} [HTTP::payload]] if original pw value was changed, replace original value if {[string first &password=$pw $newPayload] < 0 }{ regsub {("&password=)(.*?)(&)?} $newPayload {\1$pw\3} newPayload } HTTP::payload replace 0 [HTTP::payload length] $newPayload HTTP::release log local0. "new payload: $newPayload" } }
Should work regardless of password parameter position.
/deb 
Marc_Bergeron_5That doesn't seem to be working. I'm not well versed in regex, but there seems to be a handful of issues:regsub {("&password=)(.*?)(&)?} $newPayload {\1$pw\3} newPayload
There's an extra double-quote at the beginning of the expression and the (&) only matches if the payload has variables after the password, correct? I found that removing the stray double-quote returned this payload while filtering out @ and using password 1111@: membername=marcb&password=$pw1111
If I removed the (&) constraint:regsub {(&password=)(.*?)?} $newPayload {\1$pw\3} newPayload
I got this payload: membername=marcb&password=$pw
Closer, but not quite there. I need it to expect that there may be more variables, so the (&) needs to be (&|\n) or something to that effect, but I can't figure out what it should be. Next, I need to figure out why the $pw variable is printing instead of its value.
Thanks for the help.
Marc
hoolioCirrostratus
Here is a regex that will match just the password parameter value:
(?<=password=).*?(?=&|$)
It starts matching after "password=" and stops matching at a literal ampersand or the end of line.
It matches the bolded section of the following strings:
param=value&password=1234
param=value&password=1234¶m=value
password=1234¶m=value
You wouldn't need to use the backreferences with this either.
Aaron- Marc_Bergeron_5Aaron;
I'm not sure what you mean by wouldn't need to use the backreferences, but I tried your regex in my regsub and got couldn't compile regular expression pattern: invalid embedded option.
Here's what it looks like:regsub {(?<=password=).*?(?=&|$)} $newPayload {\1$pw\3} newPayload
- Marc_Bergeron_5Seems like a got a handle on it. For some reason, regsub won't fill in the variable is it's in curly brackets, but removing them was returning membername=marcb&1111@ (the word password= is gone). I simply added password= to the subSpec part of regsub this way:
regsub {(password=)(.*?)(&|$)} $newPayload password=$pw newPayload
Thanks for all the help.
