For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Jun 22, 2016

user validation by entering username&password in address bar

Hi All,   We are using APM module for authentication.   Clients dont want to give username and password in logon page. Instead they want to give username and password in address bar and it shou...
application delivery
BIG-IP Access Policy Manager (APM)
Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account
Jun 22, 2016

From a security perspective, it's really a bad idea to put usernames and passwords into CGI parameters because the URL will be:

  1. saved in the browser's history
  2. sent to any intermediate proxy server
  3. logged in HTTP request URI logs

...However, it's certainly possible.

First, understand that everything in APM is done by session variables. Session variables are assigned to users when they first connect to APM, and most things are available. In your case, you want the URI that the user's HTTP request sent, eg:

GET username=sanjai&password=12345 HTTP/1.1
Host: abc.com

From this, APM would set a session variable called 

session.server.landinguri

It would be the user's request URI: "username=sanjai&password=12345".

The other thing we need to know is what the input data is for the "Auth" items, like AD Auth and LDAP Auth, etc. These take their data from a session variable called:

session.logon.last.username

and

session.logon.last.password

Now that we know where the data is and where it needs to go, just have to make a policy to do it that way. We need to do a few things:

  1. Make sure the users put something, so validate the input.
  2. Process the data from "session.server.landinguri" and put it into "session.logon.last.username" / "session.logon.last.password".

We can do these in 1 step because APM's Policy Items let us put any test on each item.

Add a Variable Assign with two entries. The first entry will be:

[Secure]
seession.logon.last.password = if { [regexp {password=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }

The second will be:

[Insecure]
session.logon.last.username = if { [regexp {username=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }

Now, in Branch Rules, you'd add one more besides Fallback. The one you add will validate that the username and password session variables were set correctly.

expr { [mcget "session.logon.last.username"] != "" && [mcget "session.logon.last.password"] != "" }

I'm having trouble for some reason to add screenshots to this post, but hopefully you can understand from the example what's happening.