Forum Discussion

Philip_Jonsson_'s avatar
Philip_Jonsson_
Icon for Altocumulus rankAltocumulus
Sep 12, 2018

SEC7111 HTTP Security Compromised Generated by a JavaScript.

Hey everyone!

 

I just ran into an issue that I haven't seen before. Let me give you some background:

 

We have a backend web application running only on port 80 and publish this through a standard HTTPS virtual server using only a Client SSL Profile. We have also a HTTP to HTTPS VS to make sure we access the site over HTTPS.

 

Everything is working great except for a specific function on the site. The application is used to handle internal billing and once you are done with entering your details, you can print a report. When working correctly, this should open up the report as a PDF file in a new window. This is when things go south.

 

Apparently there is a JavaScript that helps creating this PDF file. First we get the "Internet Explorer is not showing all of the content". When accepting that we get nothing. When checking the debugging you find this:

 

 

The JavaScript is generating a URL of http:// when we have an active session running on https:// and security is being jeopardized. When going to the exact URL that reports the error but changing it to https:// it works straight away.

 

So I know what the problem is but I have no idea how to fix it. Long term would be to turn on HTTPS on the back-end server but that will take some time and we need a fix for this quite fast since they cannot print out these reports if they are not in the local office, connecting to the server directly.

 

I tried searching through the JavaScript to see if I can find where it actually uses http:// and just using a Stream Profile change it but I have not found anything.

 

I also tried to add a Stream Profile changing Source: http://[URL] to Target: https://[URL] but that bricked the site.

 

Since the problem is the JavaScript, the browser won't even send the request to the F5. If it were to send the request to the F5 it would hit the iRule and get redirected to HTTPS.

 

Do you guys have any idea?

 

  • What version are you running?

    I believe you could apply a "re-write policy" on the F5 so that anything it sees from http:// rewrites the responses to https://, or you could use an irule to re-write the specific response from the javascript. If the URL is embeded in the response body, you would could use a streams profile with iRule to re-write the javascript response that has the ref.

    ex: (not tested)

    when HTTP_RESPONSE {
      if { HTTP::header value Content-Type] contains "text"} {
        STREAM::expression \
        "@http:@https:@"
        STREAM::enable
      }
    }