How do you block value attributes of an input tag in a response?

This solution is implemented either in the Windows Privacy.cfg file if the Privacy agent is in the pipeline or on the?Passive Capture Application (PCA) if running a version that has a Rules page in the PCA Web UI.? Sometimes an application sends sensitive data to the browser in a value attribute in an input field.? For example:

<INPUT name="ccnum" value="444455556666">

There are no fixed rules for how web servers deliver this. The data can be surrounded by double-quotes single-quotes or no quotes at all.? Often there are other attributes in the INPUT tag which may come before after or between the name and value attributes.? Perhaps the name attribute is missing completely and an ID attribute is present instead.

Other valid examples:

<INPUT name='ccnum' value="444455556666">
<INPUT name= ccnum value=444455556666>
<INPUT name= ccnum Length=14 value=444455556666>
<INPUT Length=14 value=444455556666 type=hidden ID= ccnum >

In addition to credit card number the application can have sensitive information in a field called CCID.? This input field? has a different name but usually occurs on the same page.? Trying to create a fixed pattern to match all the combinations against it is difficult if not impossible.? However these value attributes are blocked with two Regular Expression based Actions.? It is a poor practice to evaluate these regular expressions against every single response. Include a rule that lists specific Uniform Resource Locators (URLs) that contain sensitive data in the response.? In this example the fields to block are ccnum and ccid:

[Rule2]
Enabled=True
ReqField=URL
ReqOp=Contains
ReqVal=Payment
Actions= BlockCCInResponse1 BlockCCInResponse2

This rule above calls two actions only on pages containing the string Payment in the URL. This is an example of the actions that block the value attributes for both URL fields (ccnum and ccid):

[BlockCCInResponse1]
Action=Block
Section=response
Field=body
StartPatternRE=(?-s)<[^>]*? name\s*=\s*(["']{01})(ccnum|ccid)\1\s+[^>]*?value\s*=\s*(["']{01}).*?\3[\s/>]
BlockingMask=value\s*=\s*["']{01}([^"']*)["']{01}[\s/>]
Inclusive=True

[BlockCCInResponse2]
Action=Block
Section=response
Field=body
StartPatternRE=(?-s)<[^>]*? value\s*=\s*(["']{01}).*?\1\s+[^>]*?name\s*=\s*(["']{01})(ccnum|ccid)\2[\s/>]
BlockingMask=value\s*=\s*["']{01}([^"']*)["']{01}
Inclusive=True

NOTE: Watch for word wrapping in this solution.? The StartPatternRE in both actions are on one line with no additional whitespace.

This action works by matching the StartPatternRE against the response to find the input tags with ccnum or ccid in the name. If the StartPatternRE matches the BlockingMask is applied to whatever string matched the StartPatternRE.? Any matched group within the BlockingMask (a matching group is defined by ()) is blocked.

Because the RepeatCount is by default Repeat forever the StartPatternRE is repeatedly applied to the response and continues to match until all occurrences of ccnum or ccid in the response are blocked.

Breaking down the regular expression it begins with a technical directive (?-s) to instruct the RegExpr engine to cause end-of-line to terminate .*?.? It has nothing to do with the RegExpr pattern this directive has to be inserted anytime the pattern itself contains .*??

Use of .*? in the StartPatternRE:

After the directive the StartPatternRE starts to match whenever the left-angle-bracket < is encountered.
Then [^>]*?name says to match the minimum set of characters that does not contain the > character but does contain the string name.? This eliminates any?HyperText Markup Language (HTML) tags that do not contain a name attribute.

HTML input tags have x=y attributes.? The string name is one of the allowed values of x.? HTML allows any number of whitespace characters on either side of the = character.? No whitespace is also valid.? The \s* that appears in the StartPatternRE indicates 0 or more whitespace characters.? The y to the right of the = character is the value of the attribute x.? The values can have either a single quote double-quote or nothing around them.? The pattern ['"]{01} matches exactly 0 or one occurence of anything in the character set consisting of single a quote and double-quote.

After the [^>]*?name the StartPatternRE continues with \s*=\s*["']{01}(ccnum|ccid)\1 which says to match any whitespace before the = character the = character itself any whitespace after the = character 0 or 1 single quote or double quote an alternation grouping consisting of either ccnum or ccid and then the 1st match group again (which could be either the single or double quote character. An alternation grouping allows you to specify alternate patterns; the grouping will match if either pattern appears at this position. Specifying ccnum or ccid as valid alternates here allows the StartPatternRE to match both the ccnum and ccid input tags.

The StartPatternRE continues with \s+[^>]*?value which matches at least one whitespace after the value (and optional quote characters) matches any substring of characters after the whitespace that does not include the > and matches the string value. This part of the RegExpr allows the input tag to have any number of other attributes between the name and the value attributes. It also discards (fails to match) any input tags with the name that do not also have a value attribute.

Next we have the value\s*=\s*["']{01} which matches an attribute whose name is value and up to the optional 0 or 1 single-quote or double-quote.

Finally the StartPatternRE ends with [^"']*\3 which matches the minimal set of any characters that does not include the single or double-quote character (which is the y side of this x=y attribute) followed by whatever matched at the beginning of the value (match group 3).? This is important because the input tag can possibly end with value=1234> or value="1234"> or value=1234 more attributes=something>.? It is possible to write this as ["'\s>] but for maintenance purposes we did not.? (more on this in the exceptions section below)

The BlockingMask is a simpler pattern because it already extracted the value=y portion of the input tag and needs to match exactly y.

BlockingMask=value\s*=\s*["']{01}([^"']*) ["']{01}[\s/>]

Notice the grouping of ([^"']*) in the middle of the BlockingMask. ? Anything matching inside this grouping is what is blocked.

BlockCCInResponse1 action blocks input field where name appears before value.? It is possible that the value occurs in the input tag before name does.? BlockCCInResponse2 action covers this:

[BlockCCInResponse2]
Action=Block
Section=response
Field=body
StartPatternRE=(?-s)<[^>]*? value\s*=\s*["']{01}([^"']*)\1\s+[^>]*?name\s*=\s*(["']{01})(ccnum|ccid)\3[\s/>]
BlockingMask=value\s*=\s*["']{01}([^"']*)["']{01}[\s/>]

These examples can be extended to cover input tags that do not use name but rather use id to identify the input tag. Just replace name with id in the examples.? If the application has other input tags with value attributes to be blocked replace and extend the (ccnum|id) alternative groupings with the real names of the input tags (yourname1|yourname2).

00000137

Applies to version(s): 7.x;8.x