|
| DevCentral > Weblogs > - Two Different Socks
|
iRules
There are 40 entries for the tag iRules
 |
I haven’t heard the term “graceful degradation” in a long time, but as we continue to push the limits of data centers and our budgets to provide capacity it’s a concept we need to revisit. You might have heard that Twitter was down (again) last week. What you might not have heard (or read) is some interesting crunchy bits about how Twitter attempts to maintain availability by degrading capabilities gracefully when services are over capacity. “Twitter Down, Overwhelmed by Whales” from Data Center Knowledge offered up the juicy details: ...
posted @ Wednesday, January 27, 2010 2:55 AM |
|
|
The long, lost application delivery spell compendium has been found! Its once hidden, arcane knowledge is slowly being translated for the good of all web applications. Luckily, you don’t have to be Elminster or Gandalf or <insert powerful wizard you know here> to cast this spell over your infrastructure Contingency School of Magic: Evocation Components: Somatic (requires gestures), Material (requires physical component) Saving Throw: None Spell Resistance: No Through the use of the contingency spell, application delivery professionals can dictate the conditions...
posted @ Monday, December 07, 2009 3:37 AM |
|
|
Using Anonymous Human Authentication to prevent illegitimate access to sites, services, and applications. In the “real world” there are generally accepted standards set for access to a business and its services. One of the most common standards is “No shirt, no shoes, no service.” Folks not meeting this criteria are typically not allowed past the doors of a business. But on the web, access to services is implicit in the fact that the business is offering the service. If the HTTP service is accessible, it’s implicitly allowing connections and providing service without any standard criteria...
posted @ Monday, November 30, 2009 4:47 AM |
|
|
When you look at the success of some very proprietary solutions and the loyalty with which customers defend them, you have to wonder if vendor lock-in is really as bad a thing as we sometimes make it sound. The subtext in the discussions around data portability and interoperability in general in cloud computing is really about vendor lock-in. Those driving efforts to come up with solutions that allow customers to pack up their data and head to another provider are primarily concerned about the dangers of being locked-in to a single vendor solution. ...
posted @ Friday, November 13, 2009 3:47 AM |
|
|
Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.
Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.
No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability...
posted @ Friday, November 06, 2009 12:30 PM |
|
|
You can address the problem of converting smart quotes – and any other content - in your application if you control the code. What if you’re using third-party software for which you do not have the code? Or what if it is your code but the “defect” is so low on the priority list that you won’t get to it until the year 2020?
Dealing with Microsoft smart quotes is a fact of life for developers. Almost every developer out there has a server-side script/function they use to strip them out of user-generated content and replace them with web-friendly HTML...
posted @ Monday, November 02, 2009 3:03 AM |
|
|
Steve (apparently yes, we are on a first name basis) offers up his thoughts on developing APIs for the Cloud in “A Cloud Tools Manifesto.” While the inclusion of the word “manifesto” in the title raised quite the stir (“Manifestogate” is still fresh on the minds of many cloud-oriented people), what really caught my eye is his inclusion of a “mock endpoint” primarily for testing of API based integration and development. This is something that’s increasingly important not just to cloud but to Web 2.0 and social networking sites that provide APIs via which other sites and client applications can...
posted @ Monday, October 05, 2009 4:00 AM |
|
|
AJAX enables the use of network-side scripting enabled application delivery solutions to offload client-side functionality and improve capacity and performance of dynamic (Web 2.0/AJAX) applications. In the last couple of weeks I’ve embarked on a home project to rewrite – from scratch – a couple of web applications that Don and I and friends use on a regular basis. Consider it a very restricted (in terms of users) social networking application, because that’s basically what it is. I made heavy use of AJAX for one component in the past version but have been really leveraging it a lot more...
posted @ Wednesday, September 16, 2009 5:02 AM |
|
|
But browser support is only half the solution, don’t forget to implement the server-side, too. Clickjacking, unlike more well-known (and understood) web application vulnerabilities, has been given scant amount of attention despite its risks and its usage. Earlier this year, for example, it was used as an attack on Twitter, but never really discussed as being a clickjacking attack. Maybe because aside from rewriting applications to prevent CSRF (adding nonces and validation of the same to every page) or adding framekillers there just haven’t been many other options to prevent the attack technique from being utilized against...
posted @ Tuesday, June 23, 2009 3:27 AM |
|
|
Attackers say, we can go where we want to; we can leave our code behind… There’s probably a raid going on right now in Naxxramas and the attackers are almost certainly doing the Safety Dance. They probably learned the Safety Dance the same way I learned about it; from someone well-versed in its intricate steps. See, if you don’t know the Safety Dance and you come up against Heigan the Unclean, well… he’s not called Heigan the Unclean for nothing. You will not survive. Not even if you happen to have a Holocaust Cloak at...
posted @ Wednesday, June 03, 2009 3:58 AM |
|
|
One of the ways miscreants locate targets for mass SQL injection attacks that can leave your applications and data tainted with malware and malicious scripts is to simply seek out sites based on file extensions. Attackers know that .ASP and .PHP files are more often than not vulnerable to SQL injection attacks, and thus use Google and other search engines to seek out these target-rich environments by extension. Using a non-standard extension will not eliminate the risk of being targeted by a mass SQL injection attack, but it can significantly reduce the possibility because your site will automatically turn...
posted @ Thursday, March 05, 2009 3:46 AM |
|
|
Zero-day IE exploits and general mass SQL injection attacks often overshadow potentially more dangerous exploits targeting lesser known applications and attack vectors. These exploits are potentially more dangerous because once proven through a successful attack on these lesser known applications they can rapidly be adapted to exploit more common web applications, and no one is specifically concentrating on preventing them because they're, well, not so obvious.
Recently, SANS Internet Storm Center featured a write up on attempts to exploit Roundcube Webmail via the HTTP Accept header. Such an attack is generally focused on exploitation of operating system, language, or environmental...
posted @ Thursday, January 15, 2009 9:12 AM |
|
|
Over the holidays Marcin @ tssci security offered up a python script for brute forcing the HTTP OPTIONS on directories. One of the reasons someone would want this information is because if you're (accidentally, of course) allowing PUT methods on any directories, someone can upload something nasty and potentially execute an attack. The availability of PUT makes XSS attacks simple even for script kiddies, for example. There may be legitimate reasons for enabling PUT on your servers, but you don't necessarily want the whole world to know that - just the applications that need the functionality....
posted @ Monday, January 05, 2009 5:58 AM |
|
|
Over the years imaginative developers have come up with a number of ways through which they hope to stop the pilfering of their images. Whether due to copyright issues or the increased bandwidth and associated costs resulting from "hot linking", site owners have tried a variety of solutions from JavaScript that prevents the ability to right-click and "save as" to watermarking high-resolution versions to make their images less appealing to image thieves. Regardless of the reason you may want to prevent image theft, there's an easier and more effective method than introducing easily countered JavaScript and costly alternative...
posted @ Tuesday, October 21, 2008 3:31 AM |
|
|
If you're excited about the automation capabilities of cloud computing and virtualization, you are going to love this solution. In a virtualized environment where applications can ostensibly be popping up all over, and applications are no longer tied to specific servers, there is a need to automatically manage these application instances in a high-availability (load balanced) environment. What you need is the ability to automagically add and remove application instances from the application delivery controller (load balancer) so you don't have to worry about tying those applications down, which could reduce the benefits typically associated with virtualization. If...
posted @ Tuesday, September 30, 2008 4:49 AM |
|
|
Yesterday it was reported that BusinessWeek had been infected with malware via an SQL injection attack. [begin Mom lecture] Remember when we talked about PCI DSS being a good idea for everyone, even though it's just a requirement for the payment card industry? If I've told you once, I've told you a million times: safer is better, more protection never hurts. ...
posted @ Tuesday, September 16, 2008 5:40 AM |
|
|
We used to spend a lot of cycles worrying about detecting user agents (i.e. browser) and redirecting clients to the pages written specifically for that browser. You know, back when browser incompatibility was a way of life. Yesterday. Compatibility is still an issue, but most web developers are either using third-party JavaScript libraries to handle detection and incompatibility issues or don't use those particular features that cause problems. One thing still seen at times, however, is the "choose high bandwidth or low bandwidth" entry pages, particularly on sites laden with streaming video and audio, whose...
posted @ Tuesday, September 09, 2008 3:31 AM |
|
|
With apologies to René Magritte. Did you know you could stop the treachery that is Rickrolling hyperlinks with an iRule? Just search your outbound HTML for the appropriate YouTube URLs (you may need a data group to store them all) and strip them out, or search your inbound posts for the URLs and refuse to post them. Of course you could also write an iRule that automatically changes every submitted URL to be a rickroll, but man, that's evil! Maybe you just want to do it for a specific user. You...
posted @ Friday, August 08, 2008 3:59 AM |
|
|
One of the most well-kept secrets in technology is the extensibility of HTTP. It's one of the reasons it became the de facto application transport protocol and it was instrumental in getting SOAP off the ground before SOAP 1.2 and WS-I Basic Profile made the requirement for the SOAP Action header obsolete. Web browsers aren't capable of adding custom HTTP headers on their own; that functionality comes from the use of client-side scripting languages such as JavaScript or VBScript. Other RIA (Rich Internet Applications) client platforms such as Adobe AIR and Flash are also capable of adding HTTP...
posted @ Wednesday, August 06, 2008 4:07 AM |
|
|
Outside of the technology world a lot of products are billed as "one size fits all". Anyone who's purchased such a product generally knows, no, no they don't. They're close, but never a truly good fit. Inside the technology world we know better. Software and solutions are never a "one size fits all" proposition, that's why so many business software solutions are "customizable": ERP (enterprise resource planning), CRM (customer relationship management), workflow, automation, and portals. Just about every software solution you can purchase these days takes a customizable approach to actually meeting the needs of the business. ...
posted @ Monday, July 28, 2008 6:46 AM |
|
|
Of all the reasons you need an application delivery controller capable of bi-directional inspection of application data this is one of the best. I was trying to check out the results of a poll on PollDaddy.com and ended up with this beautiful Microsoft .NET error page, filled with so much valuable information that potential attackers must even now be laughing in that "evil genius" laugh you so often hear in retro-cartoons. This error page tells me so many things about the application, it's environment, and its associated infrastructure that it should be a crime to let this information...
posted @ Tuesday, July 22, 2008 8:46 AM |
|
|
This past week there's been some interesting commentary regarding Twitter's change to its API request throttling feature. Request throttling, often used as a method to ensure QoS (Quality of Service) for a variety of network and application uses, is used by Twitter as an attempt to not overwhelm the system such that they are forced to display the now (in)famous Twitter fail whale image. One of the things you can do with a BIG-IP Local Traffic Manager (LTM) and iRules is request throttling. Why would you want to let a mediating device like an application delivery controller control...
posted @ Monday, June 30, 2008 3:43 AM |
|
|
One of the premises of a greener IT is to reduce the number of servers necessary while maintaining performance levels and meeting capacity needs.
Chances are that many of the HTTP requests received that result in a 404 (not found) message are typos, bots, or bad guys attempting to find a way into your web applications. The thing is that the server must respond to these requests, and it often requires some disk I/O to discover the file doesn't exist. That's expensive in terms of resources and can increase the total power consumption of your servers.
If you're finding enough...
posted @ Friday, June 27, 2008 4:06 AM |
|
|
A few weeks ago, as developers are wont to do, I rewrote our online gameroom. Version 1 was getting crusty, and I'd written all the AJAX handlers manually and wanted to clean up the code by using Prototype and Script.aculo.us. You may recall we discussed using these tools to build a Web 2.0 interface to iControl.
So I rewrote it and was pretty pleased with myself. Until one of our players asked why it wasn't working in Internet Explorer (IE). Now Version 1 hadn't worked in IE either, but because I have a captive set of users I ignored the...
posted @ Thursday, June 26, 2008 4:41 AM |
|
|
Remember way back when we talked about dynamically updating a WSDL to present the appropriate endpoint when being delivered through a BIG-IP? You may recall the basic problem: automatically generated WSDL docs contain the local web/application server's IP address/FQDN as the endpoint and not the IP address/FQDN of the BIG-IP, leaving clients with a non-reachable service endpoint. Since that original blog post, a couple of users have asked for the appropriate iRule to dynamically update those auto-generated WSDL docs. Colin was kind enough to code up just such an iRule, and wrap it up with some...
posted @ Monday, June 23, 2008 5:52 AM |
|
|
One of the most basic attacks against data-driven sites generated dynamically through scripting languages like PHP and ASP is to use the weaknesses of the language against the developer. Attacks against sites that make use of scripting languages often attempt to exploit system level calls that can lead to all sorts of nastiness with very little work on the part of the attacker. One of the ways to guard against this is to write secure code, of course, but we all know that we can only code against known attacks. The unknown is something we just...
posted @ Monday, June 16, 2008 7:46 AM |
|
|
Kevin Saitta, a solution consultant, has a nice blog post on architecting a Microsoft BizTalk 2006 R2 solution. Unfortunately, amidst the goodness, is a statement regarding load balancers that needs to be corrected. Kevin is not alone in his beliefs regarding load balancers, unfortunately, I've seen a lot of posts lately that seem to indicate that folks out there still have a circa 1999 knowledge set regarding the capabilities of load balancers. Kevin writes Load Balancer A load balancer balances the load between servers, but more importantly, if one server...
posted @ Wednesday, June 11, 2008 5:12 AM |
|
|
In researching the MySpace deprecated API exploit I came across the details on MySpace's REST (Representational State Transfer) API. I'm going to ignore the debate surrounding the definition of "high REST" versus "low REST" and concentrate on the bridging aspect, as it's something I've already touched on and find to be of more value than worrying over what it's called or whether it's a standard or whatever else might be the focus of these arguments. You may recall that part of the problem with a true REST implementation is that many browsers do not support PUT and DELETE....
posted @ Friday, June 06, 2008 9:02 AM |
|
|
At some point (you hope!) it becomes necessary to implement load-balancing for your applications. So you went out and got one, either from a hardware vendor or maybe downloaded a solution, and put it into place. Now you're ready to go, right? Maybe not just yet. Do your applications require persistence? Yes? You did remember to validate that your solution is capable of performing persistence-based load-balancing, didn't you? If you're shaking your head wondering why this application thing is important to load balancing, read on. Persistence is one of the best examples of why it's so...
posted @ Wednesday, June 04, 2008 4:50 AM |
|
|
An issue that often comes up for users of any full proxy-based product is that the original client IP address is often lost to the application or web server. This is because in a full proxy system there are two connections; one between the client and the proxy, and a second one between the proxy and the web server. Essentially, the web server sees the connection as coming from the proxy, not the client. Needless to say, this can cause problems if you want to know the IP address of the real client for logging, for troubleshooting, for...
posted @ Monday, June 02, 2008 4:20 AM |
|
|
As an industry - both security and application delivery - we talk a lot about securing the application infrastructure (databases, web and application servers) by making sure that the data going into the applications is "clean". After all, we know that GIGO (Garbage In Garbage Out) is a true statement in terms of web applications and data. Unfortunately we tend to worry a lot more about the GI than the GO. While it's better for everyone to prevent that SQL injection or XSS attack from polluting our databases and potentially distributing malicious code to hundreds or thousands of...
posted @ Thursday, May 29, 2008 5:46 AM |
|
|
After reading most of what's available on the Adobe Zero Day Exploit, and getting an idea of how it propagates (Flash and JavaScript inserted via an SQL injection attack), I turned to iRules guru Colin for some help crafting an iRule that might stop a site from serving up infected content to a user. This is particularly helpful for those who are running a BIG-IP but who aren't running a web application firewall like ASM (Application Security Manager) and may have been inadvertently infected.
After looking through the screen capture of some JavaScript that attempts to load the malware from...
posted @ Thursday, May 29, 2008 5:40 AM |
|
|
By now you've certainly heard about the "zero day" Adobe Flash player exploit. If not, you can read a bit about it here and here. What appears to be going on is similar to how other exploits and malware become quickly propagated across the web: Set up a site that hosts some malware with a simple but effective password stealer hidden in a Flash file Inject malicious code via SQL injection techniques into a web site that will load the Flash files from the host you set up in step 1....
posted @ Wednesday, May 28, 2008 11:00 AM |
|
|
Organizations trying to make their presence known on the Internet today run into an interesting dilemma - there's just not enough IP addresses to go around. Long gone are the days when any old organization could nab a huge chunk of a Class A or even Class B network. Today they're relegated to a small piece of a Class C, which is often barely enough to run their business. This is especially true for smaller businesses who are lucky if they can get a /29 at a reasonable rate. While we wait for IPv6 to be fully adopted...
posted @ Wednesday, May 28, 2008 6:38 AM |
|
|
There's been a lot of talk about event-driven architectures lately, and mostly in the context of SOA (Service Oriented Architecture). Event-driven is an almost ancient (by technology standards, anyway) concept that involves executing some sort of logic when some event happens. Anyone who's ever had the (mis)fortune to code for early versions of Windows will remember well the event-driven handlers you had to code that were required to build an application. This paradigm followed us to the web, where functions are now coded in Javascript to handle just about any user - and system - event that might affect...
posted @ Thursday, April 10, 2008 7:04 AM |
|
|
Why do web app developers make URLs so hard to remember?!? Rewriting for Fun Over the course of the past few weeks I've sent out a link to our personal Gallery installation to share pictures of our new son many times. Now I love Gallery and even though I can recite PI to 42 significant digits, I can't recall the exact URL to the album containing his pictures. I'm constantly looking it up and cutting and pasting it into my e-mail and quite frankly, it's getting annoying. It's long and confusing and not easily remembered. I can't rewrite...
posted @ Thursday, March 06, 2008 9:47 AM |
|
|
Erik Dafforn recently posted his Webmaster Wish List for 2008. What it sounds like is that Erik is really asking for tools that make it easier to configure web sites and, more specifically, how web servers respond to requests. What's interesting about his list is that most of his wish list can easily be answered with the implementation of a simple iRule on BIG-IP Local Traffic Manager. For example, you might have pages such as www.companyname.com/products/ and www.companyname.com/products/index.aspx. Typically, these URLs contain exactly the same content, but due to inconsistent linking throughout the site (and from third-party sites),...
posted @ Friday, January 11, 2008 1:42 PM |
|
|
You've just deployed a Web 2.0 application that includes an AJAX-based real-time updating component. Maybe it's something like Twitter, or a stock chart, or sports scores. Whatever the content is, you've been hearing from users that sometimes those updates just ... fail. Upon further investigation you might discover - will likely discover - that users for which the updates fail have high-latency or low-bandwidth connections. Or both. You don't want to penalize broadband users for whom the app works just fine, but you don't want to alienate those users stuck on dial-up or poor connections. Worse, you can't know...
posted @ Monday, November 19, 2007 9:26 AM |
|
|
One of the premises of REST (Representational State Transfer) is that it is simpler to use well-known HTTP methods (PUT, DELETE, GET, POST) to perform actions upon resources than it is to construct complex SOAP or traditional HTTP-based application messages. REST resources are identified by URI (Uniform Resource Identifiers) that are specific to the resource. For example, instead of retreiving information about a city with a URI something like this: http://www.example.com/getcityinformation.php?city=Madison&state=WI you would use the GET HTTP method along with a URI that looks more like this: http://www.example.com/Madison/WI You could also (ostensibly) use the PUT method to...
posted @ Friday, November 02, 2007 8:54 AM |
|
|
In a world of 4G languages, regular expressions aren't something with which developers are necessarily familiar. Regular expressions are the thing of scripts, and *nix, and vi. In the fast growing arena of XML, XPath and XQuery have all but supplanted regular expressions by necessity, and yet many XML-focused appliances support regular expressions as a mechanisms for matching and even extracting data in certain circumstances. iRules and its parent scripting language, TCL, rely heavily on regular expressions much like other scripting languages such as PERL. While system administrators likely find this comforting, it can be daunting for developers new...
posted @ Wednesday, August 01, 2007 11:59 AM |
|
|
|
|
|
|
