This article describes how to mask sensitive information in a URL using the rewrite feature on the NetScaler appliance.

Background

Users are able to see sensitive information on the Web browser when they access a URL and server responds with personal information embedded within the URL. It is important that this information is masked to prevent possible security breaches.

The following example summarizes the security risk associated when users can view sensitive information on the Web browsers. When users access a certain EMR application, they click on a link on the EMR application to access EKG images hosted on the EKG server or Radiology images hosted on PACS servers. The users receive a HTTP 302 redirect containing the URL to the EKG image or Radiology image with the patient ID embedded in the Location header of the HTTP 302 redirect response from the EMR application. Users can modify the Patient ID and access images of other patients. This is a security risk if proper authorization is not configured.

Note: The configuration described in the preceding image is used in this article.

You can configure the rewrite feature on the NetScaler appliance to intercept the response and encrypt the sensitive information within the URL in the Location header. Then, the users cannot view the sensitive information in the Web browser in clear text. You can also use the rewrite feature to decrypt the requests before forwarding them to the actual application to ensure a valid response.

---

Instructions

To mask sensitive information in a URL using the rewrite feature on the NetScaler appliance, complete the following procedure:

1. Run the following commands to configure a connection proxy to the backend EMR application:

   enable ns feature lb
   add service svc_emrwebtest_http_80 <<ipaddress of EMR>> HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
   add lb vserver vip_emrwebtest-poc_http_80 HTTP <<EMR VIP>> 80 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -cltTimeout 180
   bind lb vserver vip_emrwebtest-poc_http_80 svc_epicwebtest_http_80

2. Run the following commands to configure a service to the backend EKG server:

   add service svc_ekgtest_http_80 <<ipaddress of EKG>> HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
   add lb vserver vip_ekgtest-poc_http_80 HTTP <<EKG/PACS VIP>> 80 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -cltTimeout 180
   bind lb vserver vip_ekgtest-poc_http_80 svc_ekgtest_http_80

3. Run the following command to enable the rewrite feature on the appliance:

   enable ns feature rewrite

   
   Note: When you encrypt information using the appliance, it creates an additional performance overhead on the appliance. Therefore, it is recommended that the CPU and memory on the appliance is monitored after the rewrite configuration.

4. Run the following command to add a rewrite action to encrypt the PID in the URL in the HTTP 302 response received from the EMR application:

   add rewrite action Encrypt_PID_Query replace "HTTP.RES.HEADER(\"Location\").AFTER_STR(\"GetReport.asp?PID=\").BEFORE_STR(\"&Server\")" "HTTP.RES.HEADER(\"Location\").AFTER_STR(\"GetReport.asp?PID=\").BEFORE_STR(\"&Server\").ENCRYPT

5. Run the following commands to add the rewrite policy and bind it at a global level:

   add rewrite policy Encrypt_response_query "HTTP.RES.HEADER(\"Location\").AFTER_STR(\"GetReport.asp?\").CONTAINS(\"PID=\")" Encrypt_PID_Query
   bind rewrite global Encrypt_response_query 10 END -type RES_DEFAULT

6. Run the following commands to decrypt the request sent from the end users to the EKG/PACS application server:

   add rewrite action Decrypt_PID_Query replace "HTTP.REQ.URL.AFTER_STR(\"GetReport.asp?PID=\").BEFORE_STR(\"&Server\")" "HTTP.REQ.URL.AFTER_STR(\"GetReport.asp?PID=\").BEFORE_STR(\"&Server\").DECRYPT" -bypassSafetyCheck YES

7. Run the following command to add a rewrite policy and to bind it at a global level:

   add rewrite policy Decrypt_Location_Query "HTTP.REQ.METHOD.EQ(\"GET\") && HTTP.REQ.URL.CONTAINS(\"GetReport.asp\")" Decrypt_PID_Query
   bind rewrite global Decrypt_Location_Query 20 END -type REQ_DEFAULT

After the configuration is complete, the network flow appears as shown in the following image:

In this example there are two separate applications where one is constructing a link to the other with sensitive information embedded within the Location header in the HTTP 302 redirect, and the other application is sending or receiving the content.
In some scenarios, when only a single application is accessed, the sensitive information is found within the actual responses and not the HTTP 302 redirects received from the Web application. You can then modify the policies described in this article to search for the sensitive information within the responses directly and then rewrite the appropriate information in the URL.

This article describes how to mask sensitive information in a URL using the rewrite feature on the NetScaler appliance.

Citrix eDocs - Rewrite