Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Sep 25, 2012

HTTP header security concern

Greetings, we are currently running BIG-IP 10.2.2 Build 763.3 Final. One of our software engineers sent me the email below:

 

" I have concerns that the F5 could potentially allow certain HTTP headers to be passed through to our infrastructure in a way that could allow a hacker to breach our security."

 

"In short, our network service applications look at several different HTTP header values to find identifying information about the caller. If the F5 allows these fields to come in from the outside world, then a hacker could alter the requesting chain or store ID…or in a worst case scenario, spoof the actual certificate information coming from the SSL certificate (there are old header values that the app looks at the wouldn’t necessarily be overwritten by security information coming from the incoming SSL certificate)."

 

Could one of you sharp gentlemen kindly supply me with an answer for him? Point me to documentation?

 

We use the iRule below to inject the ssl cert subject into the header, I believe this is what he is referring to:

 

when CLIENTSSL_CLIENTCERT {

 

set cert_subject [X509::subject [SSL::cert 0]]

 

if { $cert_subject == "" }

 

{ log "[IP::client_addr]:[TCP::client_port]: No client cert found!"}

 

}

 

 

when HTTP_REQUEST {

 

if { [info exist cert_subject] } {

 

HTTP::header insert SSLClientCertSubject $cert_subject

 

return

 

}

 

}

 

Any response is greatly appreciated.

 

APM
app sec
security

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2012
    So, just to clarify, the concern is that the header you insert is a security risk? I'm not sure how this could be a problem and why he'd refer to headers coming in from the outside world. Regardless, perhaps you could add some code to delete other 'dodgy' headers and also delete any existing instance of the header you plan to insert, before you insert it, to prevent any spoofing by the client.
  • RiverFish's avatar
    RiverFish
    Icon for Altostratus rankAltostratus
    Sep 25, 2012

    I think he is concerned that a hacker could spoof the cert subject and then the F5 would inject that spoofed subject into the header, giving an unauthorized user access to the app.

     

    As far as adding code, I am a novice and wouldn't know where to begin.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 25, 2012
    So, I guess you need to validate the client certificate first. I'm not experienced enough to help with that but this article will be a good starting point for you: https://devcentral.f5.com/wiki/irules.ClientCertificateCNChecking.ashx