Forum Discussion
Philip_Jonsson_
Altocumulus
AltocumulusSEC7111 HTTP Security Compromised Generated by a JavaScript.
Hey everyone!
I just ran into an issue that I haven't seen before. Let me give you some background:
We have a backend web application running only on port 80 and publish this through a standard HTTPS virtual server using only a Client SSL Profile. We have also a HTTP to HTTPS VS to make sure we access the site over HTTPS.
Everything is working great except for a specific function on the site. The application is used to handle internal billing and once you are done with entering your details, you can print a report. When working correctly, this should open up the report as a PDF file in a new window. This is when things go south.
Apparently there is a JavaScript that helps creating this PDF file. First we get the "Internet Explorer is not showing all of the content". When accepting that we get nothing. When checking the debugging you find this:
The JavaScript is generating a URL of http:// when we have an active session running on https:// and security is being jeopardized. When going to the exact URL that reports the error but changing it to https:// it works straight away.
So I know what the problem is but I have no idea how to fix it. Long term would be to turn on HTTPS on the back-end server but that will take some time and we need a fix for this quite fast since they cannot print out these reports if they are not in the local office, connecting to the server directly.
I tried searching through the JavaScript to see if I can find where it actually uses http:// and just using a Stream Profile change it but I have not found anything.
I also tried to add a Stream Profile changing Source: http://[URL] to Target: https://[URL] but that bricked the site.
Since the problem is the JavaScript, the browser won't even send the request to the F5. If it were to send the request to the F5 it would hit the iRule and get redirected to HTTPS.
Do you guys have any idea?
RossVermetteNimbostratus
What version are you running?
I believe you could apply a "re-write policy" on the F5 so that anything it sees from http:// rewrites the responses to https://, or you could use an irule to re-write the specific response from the javascript. If the URL is embeded in the response body, you would could use a streams profile with iRule to re-write the javascript response that has the ref.
ex: (not tested)
when HTTP_RESPONSE { if { HTTP::header value Content-Type] contains "text"} { STREAM::expression \ "@http:@https:@" STREAM::enable } }We're running 12.1.2 HF1. Do you mean using a Rewrite Profile?
Since we are using HTTP on the back-end I did a packet capture to see the traffic from the back-end server and I actually found where the link will appear. It's inside a JSON object as a key value. We must be able to change this using an iRule of some sort. Perhaps I was too general with my Stream Profile and need to translate the address together with the URI it might work better. Here is the output from the packet capture:
Do you have an idea on how we can best rewrite this URL inside the JSON object?
- RossVermette
Can you provide the HTTP Header from your "trace", I'm interested in the Content-Type value.
Hey Ross
Absolutely, here you go 🙂
Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n] Request Version: HTTP/1.1 Status Code: 200 Response Phrase: OK Cache-Control: private, max-age=0\r\n Content-Type: application/json; charset=utf-8\r\n Server: Microsoft-IIS/7.5\r\n X-AspNet-Version: 4.0.30319\r\n X-Powered-By: ASP.NET\r\n Date: Wed, 12 Sep 2018 11:49:40 GMT\r\n Content-Length: 337\r\n [Content length: 337] \r\n [HTTP response 1/1] File Data: 337 bytes
PeteWhiteEmployee
Presumably you have HSTS set and the browser is puking because you're aiming it at http. Is it possible to change the link on the server side? If not then use an iRule that looks purely for that URL ( the page URL, not the Javascript one ) and apply a stream profile only at that point.
pseudocode would be:
when HTTP_REQUEST if URI is in datagroup then set $stream = 1 when HTTP_RESPONSE if $stream = 1 then apply stream profile
GielHi Philip,
A bit of an alternative approach here could be to insert this HTTP header:
Content-Security-Policy: upgrade-insecure-requests;This should make your browser automatically rewrite any insecurely served content to HTTPS.
- RossVermette
You could try the following: Apply a "stream" profile to your existing vs, and apply the following irule:
when HTTP_RESPONSE { if { HTTP::header value Content-Type] contains "application/json"} { STREAM::expression "@http://@https://@" STREAM::enable } } Thanks to your both! I'll try that during my next troubleshooting session. I tried a stream profile before but it ended up bricking the site. This should be more specific to the json object and perhaps work better.
I'll just apply an empty Stream profile right?
RossVermette_14Correct, just apply the "default" stream profile to the existing vs, and add the iRule.
Hey RossVermette!
This worked flawlessly! You should post this as an answer so I can give you the "Accepted Answer"
