ZXTM's TrafficScript rules can inspect and modify an entire request and response stream. This provides many opportunities for securing content against unauthorized breaches.

For example, over a period of 9 months, a hacker named Nicolas Jacobsen used a compromised customer account on T-Mobile's servers to exploit a vulnerability and leach a large amount of sensitive information (see http://www.securityfocus.com/news/10271 ). This information included US Secret Service documents and customer records including their Social Security Numbers.

This article describes how to use a simple TrafficScript rule to detect and mask out suspicious data in a response.

Here is a simple rule to remove social security numbers from any web documents served from a CGI script:

if( string.contains( http.getPath(), "/cgi-bin/" ) ) {
   $payload = http.getResponseBody();

   $new_response = string.regexsub( $payload, "\\d{3}-\\d{2}-\\d{4}",
                            "xxx-xx-xxxx", "g" );

   if( $new_response != $payload ) 
      http.setResponseBody( $new_response );
}

Configure this rule as a 'Response Rule' for a virtual server that handles HTTP traffic.

How it works

The specification for the rule is:

• If the request is for a resource in /cgi-bin/, then:
  • mask anything in the response that looks like a social security number.

In this case, we recognize social security numbers as sequences of digits and '-' (for example, '123-45-6789') and we replace them with 'xxx-xx-xxxx'.

1. If the request is for a resource in /cgi-bin/:

if( string.contains( http.getPath(), "/cgi-bin/" ) ) {

The http.getPath() function returns the name of the HTTP request, having removed any %-encoding which obscures the request. You can use this function in a request or response rule.

The string.contains() test checks whether the request is for a resource in /cgi-bin/.

2. Get the entire response:

$payload = http.getResponseBody();

The http.getResponseBody() function reads the entire HTTP response. It seamlessly handles cases where no content length is provided, and it dechunks a chunk-transfer-encoded response - these are common cases when handling responses from dynamic web pages and applications. It interoperates perfectly with performance features like HTTP Keepalive connections and Pipelined requests.

The ability to manage chunked responses, keepalives and pipelines is key. If a Traffic Manager could not do so, a significant performance penalty would be imposed.

3. Replace any social security numbers:

$new_response = string.regexsub( $payload, "\\d{3}-\\d{2}-\\d{4}",
                            "xxx-xx-xxxx", "g" );

The string.regexsub() function applies a regular expression substitution to the $payload data, replacing potential social security numbers with anonymous data. Regular expressions are commonly used to inspect and manipulate textual data, and ZXTM supports the full POSIX regular expression specification.

4. Change the response:

if( $new_response != $payload ) 
   http.setResponseBody( $new_response );

The http.setResponseBody() function replaces the HTTP response with the supplied data.

You can safely replace the response with a message of different length - ZXTM will take care of the Content-Length header - and ZXTM can compress and SSL-encrypt the response as required. http.setResponseBody() interoperates perfectly with keepalives and pipelined requests.

In action...

Here are two screenshots of a vulnerable application, before and after the TrafficScript rule is applied:

Summary

Although ZXTM is not a total application security solution, this example demonstrates how ZXTM can be used as one layer in a larger belt-and-braces system. ZXTM is one location where security measures can be very easily added - perhaps as a rapid reaction to a vulnerability elsewhere in the network, patching over the problem until a more permanant solution can be deployed.

ZXTM has a very deep understanding of the details of the HTTP protocol. TrafficScript functions that manipulate HTTP requests and responses manage all of the details transparently, and the benefits of HTTP keepalives to the client and server, pipelined connections, chunked-transfer-encoding and HTTP/1.1 are preserved.