Search
Joe Pruitt - A Software Architect's take on Network Security
You are here: DevCentral > Weblogs

iRule: CCN Scrubber

posted on Wednesday, July 27, 2005 10:49 AM

This is a tie-in to my last post regarding a SSN scrubber. How would you go about scrubbing out Credit Card Numbers? This isn't as simple as searching for a nnn-nn-nnnn pattern. CCNs vary in length depending on the issuer of the card. But one thing is common: they all must pass the Luhn Formula. Info on the Luhn Formula, or MOD 10 can be found here.

This example will look matching patterns looking like credit cards and return their indexes into the payload. Then the number is run through the Luhn formula (with optimizations by unRuleY). If it is indeed a valid credit card number, it is masked with X's. 

when HTTP_REQUEST {
  # Don't allow data to be chunked
  if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
         HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
   }
}

when HTTP_RESPONSE {
   if { [HTTP::header exists "Content-Length"] } {
      set content_length [HTTP::header "Content-Length"]
   } else {
      set content_length 4294967295
   }
   if { $content_length > 0 } {
      HTTP::collect $content_length
   }
}

when HTTP_RESPONSE_DATA {
  # Find ALL the possible credit card numbers in one pass  
  set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]  

  foreach card_idx $card_indices {
    set card_start [lindex $card_idx 0]
    set card_end [lindex $card_idx 1]
    set card_len [expr {$card_end - $card_start + 1}]
    set card_number [string range [HTTP::payload] $card_start $card_end]

    set double [expr {$card_len & 1}]  
    set chksum 0  
    set isCard invalid

    # Calculate MOD10
    for { set i 0 } { $i < $card_len } { incr i } { 
       set c [string index $card_number $i]  
       if {($i & 1) == $double} {  
          if {[incr c $c] >= 10} {incr c -9}  
       }  
       incr chksum $c  
    }  

    # Determine Card Type
    switch [string index $card_number 0] {  
       3 { set type AmericanExpress }  
       4 { set type Visa }  
       5 { set type MasterCard }  
       6 { set type Discover }  
       default { set type Unknown }  
    }
    
    # If valid card number, then mask out numbers with X's  
    if { ($chksum % 10) == 0 } {  
       set isCard valid 
       HTTP::payload replace $card_start $card_len [string repeat "X" $card_len]
    }
    
    # Log Results
    log local0. "Found $isCard $type CC# $card_number"  
  }
}
Click here for the forum thread.

-Joe

[Listening to: Early Morning Rain - Gordon Lightfoot - Gord's Gold (03:18)]

Posted In: iRules,

3 Comments

Feedback
1/25/2006 11:27 AM
Gravatar If you have a critical application being delivered over the network, then guess what...your network is now critical. Moreover, as this article and many before it go on to discuss, the network that these applications run on becomes more than just a delivery mechanism, it becomes part of the application itself.
Colin Walker
3/27/2006 1:58 PM
Gravatar send
ccn
roman
11/29/2010 6:10 PM
Gravatar Hi Joe,

Thank you for posting this information.

With this iRule, I can mask CC number in http_response. I am looking for masking CC number or replacing real CC number into dummy CC number.

Do you suggest what should I do for meeting this requirments

Thanks,

Narendra
Narendra

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:
 
Name:
 
Email: (so we can show your gravatar)
Website:
Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code
 
Please add 5 and 8 and type the answer here:

Links

  
Are you interested in:
Search DevCentral to get answers to your questions.

Blog Stats

Posts:379
Comments:1067
Stories:1
Trackbacks:301
  

Tags

  

Post Categories

  

Article Categories

  iRules
  

Archives

  

Image Galleries

  

BlogRoll

  

Joe's bookshelf: read

The Lost Gate
4 of 5 stars
The Lost Gate
by Orson Scott Card
This one started slow but I got really got into it about 1/3 of the way through. If you are an Ender's Game fan, you'll probably like this one as well.
The River of Doubt: Theodore Roosevelt's Darkest Journey
4 of 5 stars
The River of Doubt: Theodore Roosevelt's Darkest Journey
by Candice Millard
Gideon's Sword
3 of 5 stars
Gideon's Sword
by Douglas Preston
The Necromancer
4 of 5 stars
The Necromancer
by Michael Scott
The Sorceress
4 of 5 stars
The Sorceress
by Michael Scott

goodreads.com


82,243 Members in 102 Countries and Growing!

Join DevCentral Today!

About DevCentral

DevCentral has been a successful, thriving community for many years. We have always strived to bring you the best technical documentation, discussion forums, blogs, media and much more that we can.

So dive in, get familiar with DevCentral. We hope you like it, we hope it makes your job easier, and lets you get that much more power out of the community. To learn more, make sure to check out the Getting Started section. And if you have any problems, or think something could be easier to use, drop us a line to let us know.

Got It !

We've received your comment and transmitted it directly to DevCentral HQ.

Thanks for taking time to let us know what's on your mind. At DevCentral | Community Matters!

Get In Touch With Us

Have questions, suggestions or just want to get something off your chest?

Use our handy form below to Direct Connect with DevCentral Mission Control.

Send Us Feedback       or
Copyright 1996 - 2011 F5 Networks, Inc.

Powered by the DevCentral Crew  |  Privacy Statement   |  Terms Of Use  |  Code of Conduct

Page generated faster than you can blink!