Pascal Maugeri

Cloudlet Input Validation Lab

Blog Post created by Pascal Maugeri Employee on Nov 17, 2016

Introduction

In this blog post, I explore the new Cloudlet Input Validation and its capabilities to control form content before it is submitted to origin, and to regulate the number of requests forwarded. 

 

In order to support this lab activities, I have developed a tiny HTTP server on node.js that returns an HTML form, accepts HTTP POST and simulates user session through the generation of a session cookie. This simple HTTP server is presented in details in the last section of this post and can be started very easily on any Linux distribution.

 

Note that this post does not aim to document the Cloudlet since the product is extensively documented on a dedicated web site. Do no miss this excellent video published on Akamai Community by Kunjal Botadra.

 

 

Use Case 1: limiting the number of incorrect form submits

For the first use case, Input Validation Cloudlet is used to verify the form fields submitted by the user. If the form policy does not match, the user is redirected to another error page. If the user makes too many attempts with wrong form data, he or she will be unable to submit another form for the next 5 minutes (if no new failed attempt is done).

Here are the Cloudlet behaviour and policy used for this Use Case:

 

 

User Identification

In this configuration, the user is identified by a cookie AND by IP address. If we used only the IP address for the user identification this would aggregate all users behind same corporate IP address into the same "user session". Considering the cookie allows to handle this case.

 

Validation Behavior

If the user submits an invalid form (defined by Cloudlet policy), he will be redirected to an error page (in the example below, I used the Wikipedia 403 article).

Observe that On Valid Request is set to Reset Count. This will reset the counter for this user session when the form submitted is valid. We will used a different setting in the next Use Case.

 

Penalty Behavior

When the user submits more than 3 invalid forms ("3" is set by configuration) during 5 minutes (constant value that is not adaptable), any new submit attempt will be redirected to another page (302 http://www.akamai.com).

 

 

Use Case 2: limiting maximum of form submissions per user session

In this second use case, we want to limit to 1 form submission per user session during 5 minutes. This could be useful if you only want to accept one submission, valid or not per user. Here are the Cloudlet behaviour and policy used for this Use Case (cloudlet policy does not change):

 

 

Compared to Use Case 2, the only variation is on the Validation Behaviour On Valid Request that is set to Increment Count.

 

 

Testing Environment (server setup)

Since we are going to work on protecting forms, this section shows how to build a tiny web server that presents an HTML form with some fields that the end-user can "POST" from the web browser. I have chosen to write this server using node.js that allows to build quickly this kind of service. The HTTP server will also generate a user session cookie that we will be used later on in the Cloudlet configuration.  

 

1. It is not the objective of this blog post to write on node.js installation and configuration (see Installing Node.js via package manager ), however, on Ubuntu/debian like linux distribution you can install in two commands:

sudo apt-get -y update
sudo apt-get -y install nodejs npm

 

2. On the origin server, create a file form.html with the following content:

<html>

   <body>

      <form action="" method="post" enctype="application/x-www-form-urlencoded">

         <fieldset>

            <label for="name">Name:</label>

            <input type="text" id="name" name="name" value="pascal"/>

            <br />

            <label for="email">Email:</label>

            <input type="email" id="email" name="email" />

            <br />

            <label for="description">Description:</label>

            <textarea id="description" name="description" ></textarea>

            <br />

            <input type="submit" value="Create Profile" />

         </fieldset>

      </form>

   </body>

</html>

Important: at the time this article is written the cloudlet supports only html form of type "application/x-www-form-urlencoded".

 

3. then write the node.js server in a file named server.js. It will receives GET and POST requests from users, and replies with the html form. When there is no cookie usersession in the incoming request, the node.js server will generate a random string and send it back to the HTTP client (in Set-Cookie response header). 

var http = require('http');

var fs = require('fs');

 

var server = http.createServer(function (req, res) {

    console.log("received a " + req.method + ", URL=" + req.url + ", Cookies=" + req.headers.cookie);

    var sessionExists = false;

    if (req.headers.cookie && req.headers.cookie.toString().indexOf("usersession") > -1)

sessionExists = true;

    displayForm(res, sessionExists);

});

 

function displayForm(res, sessionExists) {

  if (!sessionExists) {

    usersession = Math.random().toString(36).substring(7);

    fs.readFile('form.html', function (err, data) {

        res.writeHead(200, {

  'Set-Cookie': 'usersession=' + usersession,

          'Content-Type': 'text/html',

          'Content-Length': data.length

        });

        res.write(data);

        res.end();

    });

  }

  else {

    fs.readFile('form.html', function (err, data) {

        res.writeHead(200, {

          'Content-Type': 'text/html',

          'Content-Length': data.length

        });

        res.write(data);

        res.end();

    });

  }

}

 

server.listen(80);

console.log("server listening on tcp/80");

 

4. then you can start your server with the following:

sudo nodejs server.js

Outcomes