Forum Discussion

eLeCtRoN's avatar
eLeCtRoN
Icon for Cirrus rankCirrus
Feb 06, 2023

F5 iRule for FormBased Credentials drop or rewrite

Hello,

we have a WebService with a form based auth. there is a login for the user "sysadmin" I want to block the login in a from that he is telling the user the password is wrong. Because we can not disable the sysadmin he should exist but if someone is to try a login he should tell the password is wrong even when the password is correct than he should tell the password is wrong, my idea was a iRule to rewrite the given password always to xxxxx or 0000000 for the user sysadmin ! Has someone a idea or better would be a example iRule for that usecase !? 

application delivery
cloud
devops
security

4 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 08, 2023

    Hi EleCtroN,

    i guess it would be much easier to assign a 100 chars password to the sysadmin? 

    Rewriting  the password for the sysadmin account is slightly more difficult than just rewriting the username of the sysadmin account. To rewrite the password you would need to evaluate the username and the password values and the username rewrite just cares for the username itself. This makes it much easier and also more immune to certain evasion techniques.

     

    You may either use a [HTTP::collect] or a stream profile based approach to either collect and parse or stream replace contents of the POST request destined to the login page. 

    To help you with this, you would need to use the developer tools of your browser or HTTP-Proxies like Fiddler to understand the login process. You need to know where the POST request is send to, and which params are used to submit the username and password value. Its also crucial to understand if the username must be used case-sensitive, or if the username supports inCaSeSenSiTive formats too.

    Based on those informations we could help you to provide an iRule.

    Cheers, Kai  

    • eLeCtRoN's avatar
      eLeCtRoN
      Icon for Cirrus rankCirrus
      Feb 14, 2023

      Hi Kai_Wilke,

      i guess it would be much easier to assign a 100 chars password to the sysadmin?

      * it is not in our hand, we want to protect from brute force attacks from external, the sysadmin must be still available because for internal login.

      You may either use a [HTTP::collect] or a stream profile based approach to either collect and parse or stream replace contents of the POST request destined to the login page.

      * the login page is form based and it is a post request !

      To help you with this, you would need to use the developer tools of your browser or HTTP-Proxies like Fiddler to understand the login process. You need to know where the POST request is send to, and which params are used to submit the username and password value. Its also crucial to understand if the username must be used case-sensitive, or if the username supports inCaSeSenSiTive formats too.

      * it is a default from based auth, just like an outlook web access from based, the username must be used case-sensitive thats always the same with a default frorm based auth, sysadmin or Sysadmin has to be work !

      * If the password it to heavy to change, how about the username ? If I will login vom external with the sysadmin then we change the username sysadmin to hansdampf an the login is not possible for the sysadmin and the systems is telling password or username is worng !

      kind regards

      (Edited by Leslie Hubertus to tag Kai)

  • eLeCtRoN's avatar
    eLeCtRoN
    Icon for Cirrus rankCirrus
    Feb 21, 2023

    Or I ask my question in other form: How can I remove characters from login password in F5 via iRule to a form based login page from an application, the reason is from outside we want to not give a hint that the sysadmin exists, so if come I from outside with the sysadmin the password should be changed to 000000 so that it is invalid, from inside should the user login be possible with the sysadmin ! I coud do to prevent the access based on the username sysadmin but after I check the username I have to make a decision "drop" or "reject" or "403" whatever.