Forum Discussion

OM's avatar
OM
Icon for Nimbostratus rankNimbostratus
Dec 13, 2018

ASM hide parameter sensitive data in the logs

hi, I am trying to hide (mask) sensitive data for parameters such as password, social id, etc. I added a parameter in the (Security --> Application Security --> Parameters --> Sensitive Parameters) without success. I also added a parameter in the parameters' list, no luck. the password is still in clear text in the logs. my os version is 12.3.1, I am using POST requests and the parameters are in the header as follows:

 

POST /myloginpage HTTP/1.1 Host: mysite.com Connection: keep-alive Content-Length: 1412 Cache-Control: max-age=0 Origin: https://mysite.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: https://mysite.com Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,fr;q=0.8 Cookie : cookie....

 

NAME_2_AJXButtonAction&C2__LOGIN%5B1%5D.ACCESSCODE=myuser&C2__LOGIN%5B1%5D.FORMPASSWORD=mypass

 

any hint ?

 

thank you.

 

om

 

ASM Advanced WAF
security

3 Replies

Sort By
  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    Dec 14, 2018

    Can you try adding the parameter manually, define it as Global, and then select the option to Mask Value in Logs?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Dec 15, 2018

    In your Post DATA, the parameter name is 

    C2__LOGIN%5B1%5D.FORMPASSWORD

    did you try to add this parameter in sensitive parameter, or decoded value:

    C2__LOGIN[1].FORMPASSWORD
  • OM's avatar
    OM
    Icon for Nimbostratus rankNimbostratus
    Dec 27, 2018

    Solved... when using Allowed URLs feature along with parameters sensitive, there is a parameter called "Request Body Handling" within the URLs configuration that has to be set to "Form Data".

     

    now the password is masked in the logs.

     

    thank you all for your help.