Cisco ACE Web Application Firewall Getting Started Guide (Software Version 6.0) - Rewriting Response Content [Cisco ACE Web Application Firewall]

Table Of Contents

Rewriting Response Content

Demonstrating Insecure Credit Card Data

Masking Credit Card Numbers in Response Messages

Testing Credit Card Number Masking

Rewriting Response Content

The ACE Web Application Firewall enables you to inspect and mask content in response messages. Message rewrite rules prevent backend applications from emitting sensitive information, such as credit card numbers. The rule replaces a matched pattern in a response with a replacement character. In addition to the credit card number masking rule demonstrated in this section, you can supplement the built-in rules with those you create.

Demonstrating Insecure Credit Card Data

The Poison Oak sample application returns credit card data in clear text in message responses, which you can see as follows:

Step 1 In your browser, go to the Poison Oak home page through the ACE Web Application Firewall.

Step 2 On the home page, click the Payment link on the Oak home page.

The page displays payment data or a No orders were received message.

Step 3 If the page displays a No orders were received message, click the Pay anyway link; otherwise, click the Submit order button.

The payment information page displays the credit card number used to submit the order. This number appears as clear text in the source of the page, making it susceptible to theft by an eavesdropper.

In the next section, you'll configure your virtual web application to rewrite response messages from the backend service with "X" characters in place of credit card numbers.

Masking Credit Card Numbers in Response Messages

The Credit Card Account Number Masking rule causes credit card numbers in response messages to be masked. To apply credit card number masking, follow these steps:

Step 1 Click the Profiles link in the Manager navigation menu and then click on the name of the profile you created, Poison Oak Traffic Validation.

Notice that the Credit Card Account Number Masking rule is disabled in the profile. The rule appears in the Message Rewrite section of the profile.

Step 2 Click the edit link next to Credit Card Account Number Masking.

The Credit Card Account Number Masking rule page appears.

Figure 13-1 Credit Card Account Number Masking rule editor

Step 3 Choose the enabled item from the Rule Set Mode menu.

Step 4 Allow the Rewrite Rules menus to remain at the enabled default setting.

Step 5 Click the Save Changes button.

The Credit Card Account Number Masking rule should now appear as enabled in the profile.

Step 6 Deploy the policy to have the changes take effect.

In the next section, you'll test your new Credit Card Account Number Masking policy.

Testing Credit Card Number Masking

To test your policy change, follow these steps:

Step 1 In your browser, go to the Poison Oak home page through the ACE Web Application Firewall.

Step 2 Click the Payment link on the Oak home page.

Step 3 Click the Pay anyway link and then Submit Payment.

A payment information page displays "X" characters in place of the credit card number that was used to submit the order.

Figure 13-2 Masked Credit Card data

	Cisco ACE Web Application Firewall Getting Started Guide (Software Version 6.0)
	Rewriting Response Content
Cisco ACE Web Application Firewall Getting Started Guide (Software Version 6.0) Preface About the ACE Web Application Firewall Before Starting Performing the Initial Setup Accessing the Manager Web Console Virtualizing a Web Application Deploying and Testing the Policy Working with Firewall Profiles Using the Logs Creating Request Match Filters Monitor Mode Fine-Tuning Firewall Rules Securing HTTP Cookies Rewriting Response Content HTTP Error Response Mapping Server Header Masking Preventing Cross-Site Scripting Attacks	Download this chapter Rewriting Response Content Download the complete book ACE Web Application Firewall Getting Started Guide Book-Length PDF (PDF - 3 MB) Feedback Table Of Contents Rewriting Response Content Demonstrating Insecure Credit Card Data Masking Credit Card Numbers in Response Messages Testing Credit Card Number Masking Rewriting Response Content The ACE Web Application Firewall enables you to inspect and mask content in response messages. Message rewrite rules prevent backend applications from emitting sensitive information, such as credit card numbers. The rule replaces a matched pattern in a response with a replacement character. In addition to the credit card number masking rule demonstrated in this section, you can supplement the built-in rules with those you create. Demonstrating Insecure Credit Card Data The Poison Oak sample application returns credit card data in clear text in message responses, which you can see as follows: Step 1 In your browser, go to the Poison Oak home page through the ACE Web Application Firewall. Step 2 On the home page, click the Payment link on the Oak home page. The page displays payment data or a No orders were received message. Step 3 If the page displays a No orders were received message, click the Pay anyway link; otherwise, click the Submit order button. The payment information page displays the credit card number used to submit the order. This number appears as clear text in the source of the page, making it susceptible to theft by an eavesdropper. In the next section, you'll configure your virtual web application to rewrite response messages from the backend service with "X" characters in place of credit card numbers. Masking Credit Card Numbers in Response Messages The Credit Card Account Number Masking rule causes credit card numbers in response messages to be masked. To apply credit card number masking, follow these steps: Step 1 Click the Profiles link in the Manager navigation menu and then click on the name of the profile you created, Poison Oak Traffic Validation. Notice that the Credit Card Account Number Masking rule is disabled in the profile. The rule appears in the Message Rewrite section of the profile. Step 2 Click the edit link next to Credit Card Account Number Masking. The Credit Card Account Number Masking rule page appears. Figure 13-1 Credit Card Account Number Masking rule editor Step 3 Choose the enabled item from the Rule Set Mode menu. Step 4 Allow the Rewrite Rules menus to remain at the enabled default setting. Step 5 Click the Save Changes button. The Credit Card Account Number Masking rule should now appear as enabled in the profile. Step 6 Deploy the policy to have the changes take effect. In the next section, you'll test your new Credit Card Account Number Masking policy. Testing Credit Card Number Masking To test your policy change, follow these steps: Step 1 In your browser, go to the Poison Oak home page through the ACE Web Application Firewall. Step 2 Click the Payment link on the Oak home page. Step 3 Click the Pay anyway link and then Submit Payment. A payment information page displays "X" characters in place of the credit card number that was used to submit the order. Figure 13-2 Masked Credit Card data
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks