SEC7111 HTTP Security Compromised Generated by a JavaScript.

What version are you running?

I believe you could apply a "re-write policy" on the F5 so that anything it sees from http:// rewrites the responses to https://, or you could use an irule to re-write the specific response from the javascript. If the URL is embeded in the response body, you would could use a streams profile with iRule to re-write the javascript response that has the ref.

ex: (not tested)

when HTTP_RESPONSE {
  if { HTTP::header value Content-Type] contains "text"} {
    STREAM::expression \
    "@http:@https:@"
    STREAM::enable
  }
}

We're running 12.1.2 HF1. Do you mean using a Rewrite Profile?

Since we are using HTTP on the back-end I did a packet capture to see the traffic from the back-end server and I actually found where the link will appear. It's inside a JSON object as a key value. We must be able to change this using an iRule of some sort. Perhaps I was too general with my Stream Profile and need to translate the address together with the URI it might work better. Here is the output from the packet capture:

Do you have an idea on how we can best rewrite this URL inside the JSON object?

Can you provide the HTTP Header from your "trace", I'm interested in the Content-Type value.

Hey Ross

Absolutely, here you go 🙂

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
        Request Version: HTTP/1.1
        Status Code: 200
        Response Phrase: OK
    Cache-Control: private, max-age=0\r\n
    Content-Type: application/json; charset=utf-8\r\n
    Server: Microsoft-IIS/7.5\r\n
    X-AspNet-Version: 4.0.30319\r\n
    X-Powered-By: ASP.NET\r\n
    Date: Wed, 12 Sep 2018 11:49:40 GMT\r\n
    Content-Length: 337\r\n
        [Content length: 337]
    \r\n
    [HTTP response 1/1]
    File Data: 337 bytes

Presumably you have HSTS set and the browser is puking because you're aiming it at http. Is it possible to change the link on the server side? If not then use an iRule that looks purely for that URL ( the page URL, not the Javascript one ) and apply a stream profile only at that point.

pseudocode would be:

when HTTP_REQUEST
    if URI is in datagroup then set $stream = 1
when HTTP_RESPONSE
    if $stream = 1 then apply stream profile

Hi Philip,

A bit of an alternative approach here could be to insert this HTTP header:

Content-Security-Policy: upgrade-insecure-requests;

This should make your browser automatically rewrite any insecurely served content to HTTPS.

More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

You could try the following: Apply a "stream" profile to your existing vs, and apply the following irule:

when HTTP_RESPONSE {
  if { HTTP::header value Content-Type] contains "application/json"} {
    STREAM::expression "@http://@https://@"
    STREAM::enable
  }
}

Thanks to your both! I'll try that during my next troubleshooting session. I tried a stream profile before but it ended up bricking the site. This should be more specific to the json object and perhaps work better.

I'll just apply an empty Stream profile right?

Correct, just apply the "default" stream profile to the existing vs, and add the iRule.

Hey RossVermette!

This worked flawlessly! You should post this as an answer so I can give you the "Accepted Answer"