Masking data (e.g. social security numbers) in HTTP responses

ZXTM's TrafficScript rules can inspect and modify an entire request and response stream. This provides many opportunities for securing content against unauthorized breaches.

For example, over a period of 9 months, a hacker named Nicolas Jacobsen used a compromised customer account on T-Mobile's servers to exploit a vulnerability and leach a large amount of sensitive information (see http://www.securityfocus.com/news/10271 ). This information included US Secret Service documents and customer records including their Social Security Numbers.

This article describes how to use a simple TrafficScript rule to detect and mask out suspicious data in a response.

Here is a simple rule to remove social security numbers from any web documents served from a CGI script:

if( string.contains( http.getPath(), "/cgi-bin/" ) ) {
   $payload = http.getResponseBody();

   $new_response = string.regexsub( $payload, "\\d{3}-\\d{2}-\\d{4}",
                            "xxx-xx-xxxx", "g" );

   if( $new_response != $payload ) 
      http.setResponseBody( $new_response );
}

Configure this rule as a 'Response Rule' for a virtual server that handles HTTP traffic.

How it works

The specification for the rule is:

  • If the request is for a resource in /cgi-bin/, then:

    • mask anything in the response that looks like a social security number.

In this case, we recognize social security numbers as sequences of digits and '-' (for example, '123-45-6789') and we replace them with 'xxx-xx-xxxx'.

1. If the request is for a resource in /cgi-bin/:

if( string.contains( http.getPath(), "/cgi-bin/" ) ) {

The http.getPath() function returns the name of the HTTP request, having removed any %-encoding which obscures the request. You can use this function in a request or response rule.

The string.contains() test checks whether the request is for a resource in /cgi-bin/.

2. Get the entire response:

$payload = http.getResponseBody();

The http.getResponseBody() function reads the entire HTTP response. It seamlessly handles cases where no content length is provided, and it dechunks a chunk-transfer-encoded response - these are common cases when handling responses from dynamic web pages and applications. It interoperates perfectly with performance features like HTTP Keepalive connections and Pipelined requests.

The ability to manage chunked responses, keepalives and pipelines is key. If a Traffic Manager could not do so, a significant performance penalty would be imposed.

3. Replace any social security numbers:

$new_response = string.regexsub( $payload, "\\d{3}-\\d{2}-\\d{4}",
                            "xxx-xx-xxxx", "g" );

The string.regexsub() function applies a regular expression substitution to the $payload data, replacing potential social security numbers with anonymous data. Regular expressions are commonly used to inspect and manipulate textual data, and ZXTM supports the full POSIX regular expression specification.

4. Change the response:

if( $new_response != $payload ) 
   http.setResponseBody( $new_response );

The http.setResponseBody() function replaces the HTTP response with the supplied data.

You can safely replace the response with a message of different length - ZXTM will take care of the Content-Length header - and ZXTM can compress and SSL-encrypt the response as required. http.setResponseBody() interoperates perfectly with keepalives and pipelined requests.

In action...

Here are two screenshots of a vulnerable application, before and after the TrafficScript rule is applied:



Summary

Although ZXTM is not a total application security solution, this example demonstrates how ZXTM can be used as one layer in a larger belt-and-braces system. ZXTM is one location where security measures can be very easily added - perhaps as a rapid reaction to a vulnerability elsewhere in the network, patching over the problem until a more permanant solution can be deployed.

ZXTM has a very deep understanding of the details of the HTTP protocol. TrafficScript functions that manipulate HTTP requests and responses manage all of the details transparently, and the benefits of HTTP keepalives to the client and server, pipelined connections, chunked-transfer-encoding and HTTP/1.1 are preserved.

Owen Garrett [Zeus Dev Team] 01 July 2005  Permalink 2 comments  

Comments:

This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.

Comment from: Owen Garrett [Zeus Dev Team]

You may find that this fails inexplicably - the following TrafficScript request rule will fix it: 

http.removeHeader( "Accept-Encoding" );

Many web browsers will use the 'Accept-Encoding' header in a request to indicate that they can accept compressed responses. In this case, the server will try compress the response data, and the http.getResponseBody() function will return the compressed version of the response.

The easiest way to deal with this is to remove the 'Accept-Encoding' header from the request. ZXTM will still remember that the client can accept compressed content, and if you have enabled the Content Compression feature, ZXTM will compress the data itself before sending it to the client.

Permalink 20 July 2005 @ 11:53
Comment from: Owen Garrett [Zeus Dev Team]
ZXTM version 4.0 automatically decompresses compressed HTTP responses when you use http.getResponseBody(), so it's no longer necessary to remove the 'Accept-Encoding' header.

In a performance-critical environment where you are going to call 'getResponseBody()' on every response, you may want to remove this header anyway. The overhead of compressing each response on the webserver then decompressing it on the ZXTM will probably outweigh the bandwidth and network latency savings over the local network.
Permalink 14 December 2005 @ 12:10
Leave a comment ...
Your email address will not be displayed.
Your URL will be displayed.
This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
Download Free ZXTM Desktop Edition

Recent Articles

Other Resources



www.zeus.com

powered by
b2evolution
About this site. The ZXTM KnowledgeHub service is provided without warranty, and articles and comments may not reflect the views of Zeus Technology. For technical support queries, please contact Zeus Technical Support. Disclaimer and Privacy statement.