cancel
Showing results for 
Search instead for 
Did you mean: 

Verifying DataSafe is working or not ?

Sushant
Altostratus
Altostratus

I have attached my datasafe profile with my virtual server but not being able to check its status ? How can we verify Datasafe is working fine ? Inspect with my current web doesn't display anything regarding credentials.

 

 

 

 

 

1 ACCEPTED SOLUTION

Erik_Novak
F5 Employee
F5 Employee

Yes, you will need to specify conditions for validating successful login. If you are using a response code, be careful with either 200 and 302 as an expected code. Very often, 200 is not accurate if the page immediately redirects a user in which case 302 is the expected code. That's a common mistake. If you a using an explicit URL, make sure that case sensitivity is correct--/Login.php and not /login.php. For your user name parameter, make sure you selected the option "Identify as Username" in the URL Configuration section.

View solution in original post

9 REPLIES 9

Erik_Novak
F5 Employee
F5 Employee

Have you configured the URLs (perhaps a login page) and parameters (typically username and password) within the profile? Every DataSafe profile requires at least one URL to protect. If you view your application using Developer tools in your browser you should see the obfuscated JavaScript related to the protections you configured. Make sense?

Sushant
Altostratus
Altostratus

hi Erik Thank you replying back ! Yes I have configured the URL(login page) example : /login.php...as per my understanding we do not need to mention the full url as well as I have mentioned the parameters. I am not being able to verify...I have seen some of the videos in youtube and did get the point but cannot find the same details in my specific application.

Erik_Novak
F5 Employee
F5 Employee

OK, for the parameters you added to the profile, you must have selected "Identify as Username" and/or "Encrypt" and/or "Substitute Value." DataSafe secures Document Object Model objects such as your web forms on the client side. First access your web application using Chrome, but don't log in. Turn on Developer tools, right-click on one the protected form elements, and then select Inspect.

Then log in to your application. You should see something like document.form [0].username.value but the actual value should be obfuscated. If you see identifiable credentials in any of the fields you are inspecting then you need to configure DataSafe to protect them.

hello Erik..thank you again for replying....I can find the username and password parameter value if I incorrectly type wrong username and password...but cannot find it once I hit the correct username and password ....Should it be encrypted even if I hit wrong username and password ?? ??

Erik_Novak
F5 Employee
F5 Employee

If you selected encryption for each of these then yes, you should see obfuscated values. Are you using decoy forms? If so, you should be able to see these also.

Hi Erik...lots of tries with no success ...I do not get the Form Data once i enter the correct username and password...but with incorrect username and password Form Data is generated but with not encryption.

 

###################URL########################

0691T00000CnynMQAR.png 

########### PARAMETERS #################################0691T00000CnyPXQAZ.png 

############APPLICATION LAYER ENCRYPTION ##########0691T00000Cnyo7QAB.png 

 

############### SSID ############################

0691T00000CnyoRQAR.png 

Is login page properties mandatory ????

 

 

 

Erik_Novak
F5 Employee
F5 Employee

Yes, you will need to specify conditions for validating successful login. If you are using a response code, be careful with either 200 and 302 as an expected code. Very often, 200 is not accurate if the page immediately redirects a user in which case 302 is the expected code. That's a common mistake. If you a using an explicit URL, make sure that case sensitivity is correct--/Login.php and not /login.php. For your user name parameter, make sure you selected the option "Identify as Username" in the URL Configuration section.

Erik I am getting error of lower case sensitive as my URL is in upper case letter....any solution for this ?

 

 

0691T00000Co1ERQAZ.png

Erik_Novak
F5 Employee
F5 Employee

Yes. By default, DataSafe treats URLs in the URL list as case-sensitive. There is a checkbox for the option in the properties of the URL. By default, the option is not selected, and you should only select it if your app uses case-sensitive URLs. The problem is that you cannot change the settings after the anti-fraud profile is created. So to fix this problem, delete the profile and create a new one. Most likely your app is not case sensitive.