Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

irule or ASM Dataguard to mask sensitive data.

I am trying to mask specific data on the response from an application. In the curl output below you can see the version of the app running:

GET /messenger/ HTTP/1.1 Host: xxxxx User-Agent: curl/7.54.0 Accept: /

< HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < X-Request-ID: xxxxxx < Content-Type: application/json; charset=utf-8 < Content-Length: 19 < Date: Sun, 17 Mar 2019 14:21:03 GMT < Connection: keep-alive < * Connection #0 to host xxxxxxx left intact {"version":"3.4.4"}

I created the below regex and added it to dataguard but it is not masking the data:

/?:{\"version\":\"3.4.4\"})/

ASM settings: Block is enabled on the policy for Dataguard.

Image Text

I have also tried the url /messenger/ in the list and nothing. What am I missing here? Also is there an irule to do the same as Dataguard?

0
Rate this Question
Comments on this Question
Comment made 1 month ago by Dave McCauley 357

Here's an iRule to do that specific string, but it probably wouldn't scale too well if you have a lot of other strings to replace:

when HTTP_REQUEST {
  # Disable the stream filter for client requests
  STREAM::disable
}

when HTTP_RESPONSE {
  # Disable the stream filter for server responses
  STREAM::disable

  # Enable the stream filter for text responses only
  if {[HTTP::header value Content-Type] contains "json"}{

    # Replace 'old_text' with 'new_text'
    STREAM::expression {@{"version":"3.4.4"}@{"version":"x.x.x"}@}

    # Enable the stream filter
    STREAM::enable
  }
}

And some testing:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 15:56:18 GMT
Server: Apache/2.4.34 (Unix)
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json

{"some-data": "here"}
{"version":"3.4.4"}

After the rule is applied:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 15:56:54 GMT
Server: Apache/2.4.34 (Unix)
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Type: application/json
Transfer-Encoding: chunked

{"some-data": "here"}
{"version":"x.x.x"}
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

I put the string in the custom pattern exactly as it shows up in the response and it masks it:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 16:14:09 GMT
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json
Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly

{"some-data": "here"}
*******************

Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

0
Comments on this Answer
Comment made 1 month ago by Dave McCauley 357

A side note, this would probably break anything calling that API that is trying to parse that as JSON. The iRule approach might be better since you can keep it as well-formatted JSON and not be at the mercy of ASM's masking. Potentially the PCRE expression could match the whole string but just replace the version part and keep the quotes.

0