Forum Discussion
SEC7111 HTTP Security Compromised Generated by a JavaScript.
Hey everyone!
I just ran into an issue that I haven't seen before. Let me give you some background:
We have a backend web application running only on port 80 and publish this through a standard HTTPS virtual server using only a Client SSL Profile. We have also a HTTP to HTTPS VS to make sure we access the site over HTTPS.
Everything is working great except for a specific function on the site. The application is used to handle internal billing and once you are done with entering your details, you can print a report. When working correctly, this should open up the report as a PDF file in a new window. This is when things go south.
Apparently there is a JavaScript that helps creating this PDF file. First we get the "Internet Explorer is not showing all of the content". When accepting that we get nothing. When checking the debugging you find this:
The JavaScript is generating a URL of http:// when we have an active session running on https:// and security is being jeopardized. When going to the exact URL that reports the error but changing it to https:// it works straight away.
So I know what the problem is but I have no idea how to fix it. Long term would be to turn on HTTPS on the back-end server but that will take some time and we need a fix for this quite fast since they cannot print out these reports if they are not in the local office, connecting to the server directly.
I tried searching through the JavaScript to see if I can find where it actually uses http:// and just using a Stream Profile change it but I have not found anything.
I also tried to add a Stream Profile changing Source: http://[URL] to Target: https://[URL] but that bricked the site.
Since the problem is the JavaScript, the browser won't even send the request to the F5. If it were to send the request to the F5 it would hit the iRule and get redirected to HTTPS.
Do you guys have any idea?
I think it's nice to have an approved answer. All of the credits to go RossVermette who wrote the following iRule that solved the problem completely:
when HTTP_RESPONSE { if { HTTP::header value Content-Type] contains "application/json"} { STREAM::expression "@http://@https://@" STREAM::enable } }
Hey RossVermette!
This worked flawlessly! You should post this as an answer so I can give you the "Accepted Answer"
- RossVermette_14Nimbostratus
Correct, just apply the "default" stream profile to the existing vs, and add the iRule.
Thanks to your both! I'll try that during my next troubleshooting session. I tried a stream profile before but it ended up bricking the site. This should be more specific to the json object and perhaps work better.
I'll just apply an empty Stream profile right?
- RossVermetteNimbostratus
You could try the following: Apply a "stream" profile to your existing vs, and apply the following irule:
when HTTP_RESPONSE { if { HTTP::header value Content-Type] contains "application/json"} { STREAM::expression "@http://@https://@" STREAM::enable } }
- GielNimbostratus
Hi Philip,
A bit of an alternative approach here could be to insert this HTTP header:
Content-Security-Policy: upgrade-insecure-requests;
This should make your browser automatically rewrite any insecurely served content to HTTPS.
- PeteWhiteEmployee
Presumably you have HSTS set and the browser is puking because you're aiming it at http. Is it possible to change the link on the server side? If not then use an iRule that looks purely for that URL ( the page URL, not the Javascript one ) and apply a stream profile only at that point.
pseudocode would be:
when HTTP_REQUEST if URI is in datagroup then set $stream = 1 when HTTP_RESPONSE if $stream = 1 then apply stream profile
Hey Ross
Absolutely, here you go π
Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n] Request Version: HTTP/1.1 Status Code: 200 Response Phrase: OK Cache-Control: private, max-age=0\r\n Content-Type: application/json; charset=utf-8\r\n Server: Microsoft-IIS/7.5\r\n X-AspNet-Version: 4.0.30319\r\n X-Powered-By: ASP.NET\r\n Date: Wed, 12 Sep 2018 11:49:40 GMT\r\n Content-Length: 337\r\n [Content length: 337] \r\n [HTTP response 1/1] File Data: 337 bytes
- RossVermetteNimbostratus
Can you provide the HTTP Header from your "trace", I'm interested in the Content-Type value.
We're running 12.1.2 HF1. Do you mean using a Rewrite Profile?
Since we are using HTTP on the back-end I did a packet capture to see the traffic from the back-end server and I actually found where the link will appear. It's inside a JSON object as a key value. We must be able to change this using an iRule of some sort. Perhaps I was too general with my Stream Profile and need to translate the address together with the URI it might work better. Here is the output from the packet capture:
Do you have an idea on how we can best rewrite this URL inside the JSON object?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com