Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?

It is certainly possible to do with an iRule and a datagroup containing a list of codes (or allowed IP addresses which is much easier to implement). Lists of codes/IP Addresses are easier to manage in a datagroup rather than constantly adding/removing IP address exceptions in ASM policies.

 

you would simply use ASM:disable command if the request contains your X-SCAN-TESTING header

 

https://devcentral.f5.com/wiki/iRules.ASM__disable.ashx

 

having an iRule to connect and retrieve OTP from an external source is a bit over-engineering for such a simple problem, but it is certainly possible

 

You can also have the solution with no iRule at all and just put all the rules of header checking into the local traffic policy

 

Chris, I understand the challenge here. What you can do is have a dynamic tag which changes daily (or weekly or monthly - whatever suits you). Not quite OTP, but easy to manage and set up.

 

The way to achieve it is to write an iRule which takes the current date and mixes it with some "secret" "salt" value and then hashes the result using a hashing function (e.g. MD5 or SHA1 or whatever your security requirement to a hashing function is).

 

For example (let's assume the secret is "cdjac0bsen")

 

we take today's date 20171018 and add the secret (e.g. concatenate with a dash):

 

"20171018-cdjac0bsen"

 

then the above value is hashed using md5. It produces "d39cb5a222be728dddd1ff3adc480cb5" - you can simply give this token to your pentesters - this token will be valid for the whole day.

 

Tomorrow the token will change to: 81e20431312f37d6572651d242f2521a (md5 of "20171019-cdjac0bsen").

 

The iRule will compare the token value received in header X-SCAN-TESTING with this calculated value. If they match - it is a valid pentester, if they mismatched - it is a hacker or someone using an old/stolen token.

 

Hope this helps,

 

Sam