SYS-CON MEDIA Authors: Yeshim Deniz, Elizabeth White, Pat Romanski, Liz McMillan, Courtney Abud

Blog Feed Post

20 Lines or Less #53: Security, Security & more Security

What could you do with your code in 20 Lines or Less? That's the question I ask (sometimes?) every week for the DevCentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

This week we've got three awesome examples of iRules that are designed to increase your application's security in less than 21 lines of code. Dealing with header size, cache control, and a Microsoft advisory, we get to see a couple of different ways in which iRules can save the day. This isn't a new theme. iRules can be an amazingly powerful security resource in the hands of someone with the security mindset to be aware of what is going on, and the F5/iRules knowledge to craft the solutions necessary to put in place the preventative measures necessary to thwart incoming attacks.

Preventing Overzealous Headers

To work around a recently released bug that allowed attackers to exploit excess parameters in an HTTP request, Aaron whipped up an iRule to count the parameters. User Wizdem had an excellent start, looking through the payload, but Aaron and Jason teamed up to make it more efficient and expanding it to look through the query string as well. If either of these have more than 100 parameters, it drops the request, assuming it to be an attack. Given that most requests shouldn't have anywhere near 100 parameters, that should be a pretty safe assumption, but your mileage may vary, as always. A very slick look at an iRule protecting against a known attack in a short period of time with only a few lines of code. This one looks longer than it is. Take out white space, comments, and log lines and you end up at 20. Honest.

   1: when HTTP_REQUEST {
   3:     # Check if the query string contains more than 100 parameters
   4:     if { [llength [split [HTTP::query] &]] > 100 } {
   5:         log local0.alert "Microsoft Security Advisory (2659883)\
   6:             IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"
   8:         # Drop the request
   9:         drop
  10:         return
  11:     }
  13:     # Collect up to 1Mb of POST data
  14:     if { [HTTP::method] equals "POST"}{ 
  15:         set clength 0
  16:     if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576 && [HTTP::header "Content-Length"] > 0}{ 
  17:            set clength [HTTP::header Content-Length]
  18:         } else { 
  19:             set clength 1048576 
  20:         }
  21:         HTTP::collect $clength
  22:     }
  23: }
  25: when HTTP_REQUEST_DATA {
  27:     # Check if the collected payload contains more than 100 parameters
  28:     if { [llength [split [HTTP::payload] &]] > 100 } {
  29:         log local0.alert "Microsoft Security Advisory (2659883)\
  30:             IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"
  32:         # Drop the request
  33:         drop
  34:     }
  35: }

Header Size Restrictions

Similar yet different, in this snippet the size of each header is inspected to ensure it is not over 1000 characters. While this is not necessarily a malicious attack it was causing problems for the OP in the thread, and Aaron was kind enough to lend an updated version to log the header lengths as they come through, since this thread was brought back up recently. In this incarnation the rule is only logging but it would be trivial to modify it to drop requests as necessary if you experience a particular client attempting to send through egregiously large headers in an attempt to cause problems.

   1: when HTTP_REQUEST {
   3:     # Check the total HTTP headers size
   4:     if {[string length [HTTP::request]] > 10000 }{
   6:         # Loop through the headers by name
   7:         foreach header {[HTTP::header names]} { 
   9:             # Check for a long header value
  10:             if {[string length [HTTP::header value $header]] > 1000 } { 
  11:                 log local0. "Header is long. Header Name: $header,\
  12:                     Length: [string length [HTTP::header value $header]], Value: [HTTP::header value $header]" 
  13:             }
  14:         }
  15:     }
  16: }

No-Cache ... For Real

In this post user Joanna shares the problem she's facing with us

"The problem is that Google Chrome will cache, in the current sessions memory only,  responses which have had the no-cache directive applied.  This means that after a user logs out of an application and walks away,  another user can come up to the computer,  press the back arrow and potentially see private information.  The way round this is to use the no-store directive with a couple of other headers thrown in for good measure. "

That is less than optimal...a browser that refuses to respect no-cache headers for secure pages. I'm not sure in what environments or across which versions this applies, but having a fix readily available is a good thing. Fortunately Joanna was kind enough to provide exactly that. With this simple iRule she was able to more firmly enforce her caching directives and create a more secure application in the process.

   1: when HTTP_RESPONSE {
   2:     # The purpose of this iRule event processing is to force no-store so that browsers will not store this content
   3:     # which would enable users to hit the 'back' button,  even after a logout,  and potentially see customer PII
   6:     if {[HTTP::header Content-Type] contains "html"} {
   7:         HTTP::header insert Pragma "no-cache"
   8:         HTTP::header insert Expires "Fri, 01 Jan 1990 00:00:00 GMT"
   9:        HTTP::header replace Cache-Control "no-cache,no-store,must-revalidate"
  10:     }
  11: }

There you have it, <= 60 lines of code to help make your iRuling life better, more interesting and in this case more secure, too. More iRules goodness is sure to follow in coming weeks.


Read the original blog entry...

More Stories By Colin Walker

Coming from a *Nix Software Engineering background, Colin is no stranger to long hours of coding, testing and deployment. His personal experiences such as on-stage performance and the like have helped to foster the evangelist in him. These days he splits his time between coding, technical writing and evangalism. He can be found on the road to just about anywhere to preach the good word about ADCs, Application Aware networking, Network Side Scripting and geekery in general to anyone that will listen.

Colin currently helps manage and maintain DevCentral ( He is also a contributor in many ways, from Articles to Videos to numerous forum posts, to iRules coding and whatever else he can get his hands on that might benefit the community and allow it to continue to grow.

Latest Stories
Take advantage of autoscaling, and high availability for Kubernetes with no worry about infrastructure. Be the Rockstar and avoid all the hurdles of deploying Kubernetes. So Why not take Heat and automate the setup of your Kubernetes cluster? Why not give project owners a Heat Stack to deploy Kubernetes whenever they want to? Hoping to share how anyone can use Heat to deploy Kubernetes on OpenStack and customize to their liking. This is a tried and true method that I've used on my OpenSta...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
10ZiG Technology is a leading provider of endpoints for a Virtual Desktop Infrastructure environment. Our fast and reliable hardware is VMware, Citrix and Microsoft ready and designed to handle all ranges of usage - from task-based to sophisticated CAD/CAM users. 10ZiG prides itself in being one of the only companies whose sole focus is in Thin Clients and Zero Clients for VDI. This focus allows us to provide a truly unique level of personal service and customization that is a rare find in th...
Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, will discuss how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galer...
Emil Sayegh is an early pioneer of cloud computing and is recognized as one of the industry's true veterans. A cloud visionary, he is credited with launching and leading the cloud computing and hosting businesses for HP, Rackspace, and Codero. Emil built the Rackspace cloud business while serving as the company's GM of the Cloud Computing Division. Earlier at Rackspace he served as VP of the Product Group and launched the company's private cloud and hosted exchange services. He later moved o...
92% of enterprises are using the public cloud today. As a result, simply being in the cloud is no longer enough to remain competitive. The benefit of reduced costs has normalized while the market forces are demanding more innovation at faster release cycles. Enter Cloud Native! Cloud Native enables a microservices driven architecture. The shift from monolithic to microservices yields a lot of benefits - but if not done right - can quickly outweigh the benefits. The effort required in monitoring,...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
Signs of a shift in the usage of public clouds are everywhere. Previously, as organizations outgrew old IT methods, the natural answer was to try the public cloud approach; however, the public platform alone is not a complete solution. Complaints include unpredictable/escalating costs and mounting security concerns in the public cloud. Ultimately, public cloud adoption can ultimately mean a shift of IT pains instead of a resolution. That's why the move to hybrid, custom, and multi-cloud will ...
The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get tailored market studies; and more.
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
The KCSP program is a pre-qualified tier of vetted service providers that offer Kubernetes support, consulting, professional services and training for organizations embarking on their Kubernetes journey. The KCSP program ensures that enterprises get the support they're looking for to roll out new applications more quickly and more efficiently than before, while feeling secure that there's a trusted and vetted partner that's available to support their production and operational needs.
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It's clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Th...
xMatters helps enterprises prevent, manage and resolve IT incidents. xMatters industry-leading Service Availability platform prevents IT issues from becoming big business problems. Large enterprises, small workgroups, and innovative DevOps teams rely on its proactive issue resolution service to maintain operational visibility and control in today's highly-fragmented IT environment. xMatters provides toolchain integrations to hundreds of IT management, security and DevOps tools. xMatters is the ...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...