Jason_105955
Feb 26, 2008Nimbostratus
Obfuscate URI's?
Greetings!
Has anyone any ideas on ways to create an iRule that will obfuscate URI's used (and returned in the HTTP payload)?
We've inherited a problem with a very badly written app, where a form page takes data such as username/password and generates a URI such as https://www.website.org/login.asp?username=x&password=y
It's worse than that since the app has failed a pen test where it allows data leakage by manipulating the URI manually, so by changing the record= parameter in the URI below, other records can be accessed.
https://www.website.org/getdata.asp?record=100001
I know it's terrible coding, but for various reasons it's not an option to recode and fix all the problems in the short term, so I'm trying to find a way to mangle the URI's invisibly.
If the URI could be mangled to show
https://www.website.org/gH4yrh499skjfdjs
or some other equally meaningless string, it'll be virtually impossible for the URI to be manipulated.
We've a way of doing this through another route, but unfortunately it only mangles the first part of the URI and not the second, so we're seeing for example:
https://www.website.org/gH4yrh499skjfdjs?record=100001
Of course the website is also returning payload with a series of links in the same form which need to be obfuscated in the same way!
Any insights would be appreciated!!
Oh, and ASM isn't an option right now!