For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

iRule: SSN Scrubber

Want to secure your site from accidentally exposing Social Security Numbers? No problem says the iRules team. This example will show how to, for a given class of uri's, scrub the SSN's from response content replacing them with the blanket "xxx-xx-xxxx" string.

class scrub_uris {
   "/cgi-bin",
   "/account"
}

when HTTP_REQUEST {
   if { [matchclass [HTTP::uri] starts_with $::scrub_uris] } {
      set scrub_content 1
      # Don't allow data to be chunked
      if { [HTTP::version] eq "1.1" } {
         if { [HTTP::header is_keepalive] } {
            HTTP::header replace "Connection" "Keep-Alive"
         }
         HTTP::version "1.0"
      }
   } else {
      set scrub_content 0
   }
}
when HTTP_RESPONSE {
   if { $scrub_content } {
      if { [HTTP::header exists "Content-Length"] } {
         set content_length [HTTP::header "Content-Length"]
      } else {
         set content_length 4294967295
      }
      if { $content_length > 0 } {
         HTTP::collect $content_length
      }
   }
}
when HTTP_RESPONSE_DATA {
   # Find the SSN numbers
   set ssn_indices [regexp -all -inline -indices {\d{3}-\d{2}-\d{4}} [HTTP::payload]]
   # Scrub the SSN's from the response
   foreach ssn_idx $ssn_indices {
      set ssn_start [lindex $ssn_idx 0]
      set ssn_len [expr {[lindex $ssn_idx 1] - $ssn_start + 1}]
      HTTP::payload replace $ssn_start $ssn_len "xxx-xx-xxxx"
   }
}

Click here for the forum thread.

-Joe

 

[Listening to: We've Only Just Begun - Various Artists - If I Were a Carpenter (03:51)]
Published Jul 27, 2005
Version 1.0
application delivery
BIG-IP
devops
iRules
No CommentsBe the first to comment