Forum Discussion

Nimbostratus

Sep 16, 2014

How to securely present user supplied data in HTTP::respond NNN content

When i write iRules, I often use something like HTTP::respond 403 content "Error: variable $somevar not in datagroup" My concern here is, $somevar is userdefined data - often a part of HTTP::pa...

Employee

Sep 16, 2014

I'd perhaps suggest two things:

Set the HTTPOnly flag on all cookies. It's of course not a 100% solution, but it would prevent most script-based access to cookies.

As WLB suggests, simply URI::encode the output value:

HTTP::respond 403 content "Error: variable [URI::encode $somevar] not in datagroup"

Forum Discussion

How to securely present user supplied data in HTTP::respond NNN content

Recent Discussions

iRule resulting in too many redirects

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

cat and grep command for rst messages

iControl for Gtm wideip

Telemetry streaming to Elasticsearch

Related Content

Curse the Rusty OSS supply chain - September 10th to 16th, 2023 - F5 SIRT - This Week in Security

Change cookie domain in HTTP::respond

Trust, Supply Chain, CVEs, Patching, and Schneier - Nov 5th - 11th - F5 SIRT - This Week in Security

iOS and Chrome, Supply Chain and new Phishing attacks - This Week in Security - Aug 29 to Sept 4th

Gzip content when using HTTP::respond