Forum Discussion

Marc_Bergeron_5's avatar
Marc_Bergeron_5
Icon for Nimbostratus rankNimbostratus
Aug 15, 2007

Process POST data

I'm looking to patch a security issue in our application until our developers have time to do their thing, and I'm hoping to do it with iRules.

 

 

What I have is a log-in page, login.asp, that doesn't validate any of its 3 fields: username, password, email. I successfully made a rule to remove brackets, slashes, and whatever else from the POST data, then realized that users may have these characters in their passwords. This example removes <, >, or % from posts and replaces them with NULL, in turn invaliding their attempt:

 

 

when HTTP_REQUEST_DATA {

 

if {[string tolower [HTTP::path]] contains "login.asp"} {

 

set newPayload [string map {< "" > "" % ""} [HTTP::payload]]

 

HTTP::payload replace 0 [HTTP::payload length] $newPayload

 

HTTP::release

 

log local0. "new payload: $newPayload"

 

}

 

}

 

 

In order to ignore the password field, I figure I need to parse the POST data, scrub all submit data except for the Password, then reassemble it back into HTTP:payload. Is there a simple way to do this. My typical payload looks like this:

 

 

redirect=®_id=0&ie55sp1=false&membername=marcb&password=marcb
application delivery
dev
devops
iRules

6 Replies

Sort By
  • Kirk_Bauer_1018's avatar
    Kirk_Bauer_1018
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2007
    I think you will have to do it that way unfortunately and I don't have any examples. If you have a 6400 or higher you could always add the Application Security Manager which is made to do these kinds of things.
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 16, 2007
    Maybe this?
     when HTTP_REQUEST_DATA {
  if {[string tolower [HTTP::path]] contains "login.asp"} {
     save original password value
    set pw [findstr [HTTP::payload] "&password=" 10 &]
     strip special characters from entire payload
    set newPayload [string map {< "" > "" % ""} [HTTP::payload]]
     if original pw value was changed, replace original value
    if {[string first &password=$pw $newPayload] < 0 }{ 
      regsub {("&password=)(.*?)(&)?} $newPayload {\1$pw\3} newPayload
    }
    HTTP::payload replace 0 [HTTP::payload length] $newPayload
    HTTP::release
    log local0. "new payload: $newPayload"
  }
}

    Should work regardless of password parameter position.

    /deb
  • Marc_Bergeron_5's avatar
    Marc_Bergeron_5
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2007
    That doesn't seem to be working. I'm not well versed in regex, but there seems to be a handful of issues:

     

    regsub {("&password=)(.*?)(&)?} $newPayload {\1$pw\3} newPayload

     

     

    There's an extra double-quote at the beginning of the expression and the (&) only matches if the payload has variables after the password, correct? I found that removing the stray double-quote returned this payload while filtering out @ and using password 1111@: membername=marcb&password=$pw1111

     

     

    If I removed the (&) constraint:

     

    regsub {(&password=)(.*?)?} $newPayload {\1$pw\3} newPayload

     

     

    I got this payload: membername=marcb&password=$pw

     

     

    Closer, but not quite there. I need it to expect that there may be more variables, so the (&) needs to be (&|\n) or something to that effect, but I can't figure out what it should be. Next, I need to figure out why the $pw variable is printing instead of its value.

     

     

    Thanks for the help.

     

     

    Marc
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 16, 2007
    Here is a regex that will match just the password parameter value:

     

     

    (?<=password=).*?(?=&|$)

     

     

    It starts matching after "password=" and stops matching at a literal ampersand or the end of line.

     

     

    It matches the bolded section of the following strings:

     

     

    param=value&password=1234

     

    param=value&password=1234&param=value

     

    password=1234&param=value

     

     

    You wouldn't need to use the backreferences with this either.

     

     

    Aaron
  • Marc_Bergeron_5's avatar
    Marc_Bergeron_5
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2007
    Aaron;

     

     

    I'm not sure what you mean by wouldn't need to use the backreferences, but I tried your regex in my regsub and got couldn't compile regular expression pattern: invalid embedded option.

     

     

    Here's what it looks like:

     

    regsub {(?<=password=).*?(?=&|$)} $newPayload {\1$pw\3} newPayload

     

  • Marc_Bergeron_5's avatar
    Marc_Bergeron_5
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2007
    Seems like a got a handle on it. For some reason, regsub won't fill in the variable is it's in curly brackets, but removing them was returning membername=marcb&1111@ (the word password= is gone). I simply added password= to the subSpec part of regsub this way:

     

    regsub {(password=)(.*?)(&|$)} $newPayload password=$pw newPayload

     

     

    Thanks for all the help.