Obfuscate URI's?

Historic F5 Account

Feb 28, 2008

I agree with nmenant, and I do not see a way you cannot accomplish what you want to in the manner you want.

However, it might be possible to change the form method from GET to POST in the HTML page as it is sent to the client. This would force the POST behavior which is what you really want. It looks like you are using HTTPS, so the username/password are not longer in the clear.

You could use something similar to the SSN Scrubbing rule in the Code Share section of the site.

http://devcentral.f5.com/wiki/default.aspx/iRules/SocialSecurityNumberScrubbing.html

Instead of looking for SSNs in the response you would look for method=get and replace it with method=post.

When the client sent the POST to login, you know the URI they will be posting to and it would be a matter of extracting the POST data and crafting the GET URI the back end node expects.

It is at least worth considering.

AFA you data leakage, you might consider taking a look at our ASM product. It is specifically designed to prevent those kinds of attacks.

Forum Discussion

Recent Discussions

GSLB - Monitoring LTM VIP load balancing via iRule

Can iRule forward request to pool after ASM block without ASM:unblock ?

failed: Cannot contact any KDC for realm

GCP F5 deployment - Active -Active with config Sync

Problems connecting to vpn after upgrading to ubuntu 24.04

Related Content

What is HTML Field Obfuscation?

How to Use F5 Distributed Cloud to Obfuscate Ingress and Egress Traffic

Obfuscate GTM's BIND Version

Improving Security Through Dynamic Resource Obfuscation

set TOKEN [getfield [HTTP::uri]