iRule to block blank username/password

Question

Newbie to iRules here so please go easy.&nbsp;
 &nbsp;
I have been assigned a project to work with one of our applications that now wants to load balance thru our F5 (Gtm WIP and LTM VIP), but they also discovered a security issue with their application.  When accessing the appliarion it normally passes thru the users credentials and then if authorized the user gets the requested info, thru the following piece of code&nbsp;
 &nbsp;
            //string dbMotionUsername = ConfigurationManager.AppSettings["dbMotionUsername"];&nbsp;
            //string dbMotionPassword = ConfigurationManager.AppSettings["dbMotionPassword"];&nbsp;
            //string dbMotionRole = ConfigurationManager.AppSettings["dbMotionRole"];&nbsp;
            //string domain = ConfigurationManager.AppSettings["domain"];&nbsp;
 &nbsp;
            //dbMotion.Security.DbmPrincipal principal = dbm.securityhelper.AuthenticationHelper.GetdbMotionPrincipal(dbMotionUsername, domain, dbMotionPassword, dbMotionRole);&nbsp;
            //DbmSecurityManager.CurrentPrincipal = principal;&nbsp;
 &nbsp;
 &nbsp;
BUT if this code is commented out or the credentials are left blank the requested info is still being returned.&nbsp;
 &nbsp;
I was wondering if there is an iRule out there or if someone had a similiar issue they resolved thru an iRule that they woudl liek to share.&nbsp;
I am thinking (not sure how to execute) but basically somehow the iRule can find out/verify that credentials are passed and if not terminate the transaction?&nbsp;
Thanks in advance for any help.&nbsp;

el_jefe · Answer

Shane - With what you've given us, I can't really tell what you're doing. If you're using HTTP Basic Auth it could be as simple as -  
&nbsp; You basically have to parse the username and PW, and figure out when null values come in, and then either drop the request or reject it. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    log local0. "[IP::client_addr]:[TCP::client_port]: User-Agent: [string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" 
&nbsp;    if { [string tolower [HTTP::username]] eq ""} { 
&nbsp;       log local0. "[IP::client_addr]:[TCP::client_port]: Rejected request" 
&nbsp;       reject 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp; FYI - this is just an example off the top of my head. Haven't even checked syntax.

shane_terrick_9 · Answer

Basically trying to block requests that don't have a usrname or password.   Hope that helps clear it up.  Again.  I am not very familiar with the app side that is requesting this and even less familiar with crafting iRules.

what_lies_bene1 · Answer

Shane, unless you can tell us how the credentials are provided (HTTP Auth headers, in the URI, in the payload, whatever) then we'll not be able to help much. Can you app guys provide any more information? If not, could you do a tcpdump of a valid and invalid 'session' and do some analysis? If you need help with tcpdump, post back.

Forum Discussion

iRule to block blank username/password

3 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Require username and password for virtual server

Unable to login on F5 GUI using default admin/admin username & password.

MS Exchange ProxyNotShell block implemented via iRules

Block traffic

iRule - Block part of a query