Forum Discussion

Dave_Pisarek_25's avatar
Dave_Pisarek_25
Icon for Nimbostratus rankNimbostratus
Mar 17, 2019
Solved

irule or ASM Dataguard to mask sensitive data.

I am trying to mask specific data on the response from an application. In the curl output below you can see the version of the app running:   GET /messenger/ HTTP/1.1 Host: xxxxx User-Agent: curl...
application delivery
ASM Advanced WAF
iRules
security
  • Dave_McCauley_3's avatar
    Dave_McCauley_3
    Mar 17, 2019

    I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

    I put the string in the custom pattern exactly as it shows up in the response and it masks it:

    HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 16:14:09 GMT
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json
Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly

{"some-data": "here"}
*******************

    Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

Dave_McCauley_3's avatar
Dave_McCauley_3
Icon for Cirrostratus rankCirrostratus

I think it's just the regex. The documentation says it takes PCRE expressions, but maybe it's slightly different?

I put the string in the custom pattern exactly as it shows up in the response and it masks it:

HTTP/1.1 200 OK
Date: Sun, 17 Mar 2019 16:14:09 GMT
Last-Modified: Sun, 17 Mar 2019 15:49:08 GMT
ETag: "2a-5844c365dbc0c"
Accept-Ranges: bytes
Content-Length: 42
Content-Type: application/json
Set-Cookie: TS01ce3b70=01ab350b1380a1d499b6b31bbd8fd165e9cea5e3b49f3bb2488ec38e985de0fb0f24c3aa51ce1302f1a6ded68aff123b1f26f4d34c; Path=/; HTTPOnly

{"some-data": "here"}
*******************

Also, I think you'll want to disable blocking in learning and blocking for dataguard information leakage. You'll actually get a block page instead of the masked data if block is set.

Dave_McCauley_3's avatar
Dave_McCauley_3
Icon for Cirrostratus rankCirrostratus
Mar 17, 2019

A side note, this would probably break anything calling that API that is trying to parse that as JSON. The iRule approach might be better since you can keep it as well-formatted JSON and not be at the mercy of ASM's masking. Potentially the PCRE expression could match the whole string but just replace the version part and keep the quotes.