Login Credentials Extraction

Login Credentials Extraction

This feature extracts credentials (hashed username and password) from requests and sends them to HUMAN as additional info in the risk api call. If credentials are found to be compromised, the request passed to the origin will have the header px-compromised-credentials with the value 1. The feature can be toggled on and off, and may be set for any number of unique paths.

To enable the feature, you must do the following:

1. Add a table or Fastly dictionary named px_login_credentials_extractionwith the following fields, which will determine which requests will have their credentials extracted.

   Key Name	Examples	Notes
   path_0	"/login"	The endpoint of the request
   method_0	"post"	Supported methods: post
   sent_through_0	"body"	Supported sent_throughs: body
   user_field_0	"username"	The name of the field that contains the username
   pass_field_0	"password"	The name of the field that contains the password

   The request body will be parsed based on its Content-Type header. Supported content types are: application/json and application/x-www-form-urlencoded.
   Notice that all fields in this example end in _<id> to allow the configuration of multiple endpoints. For example, to configure a second endpoint, add these same fields with _1 instead of _0at the end of the key name to the table.

   Note: If you use a Fastly dictionary to configure these values, remove the empty table declaration in the px_config.vcl file.

2. In the px_custom.vcl, modify the px_custom_is_login_request subroutine to set req.http.login-set to the proper ending (e.g., _0, _1, etc.) depending on the request path. See the comments in the subroutine for examples of how to do this.
3. In the px_config.vcl, change the "px_login_credentials_extraction_enabled" field from "0" to "1" to enable the feature.

Credentials Intelligence - OKTA Integration

As part of the Credentials Intelligence feature, an indication of compromised credentials should be passed to the origin.

In case of OKTA the indication will be passed on the query string compromised_credentials with the value true.

In case the credentials were compromised and the login attempt succeeded, there is an option to change the status code of the response, so that it will fail.

In order to enable the query string indication use the px_credentials_intelligence_query_string flag, set it as true.

In order to set the status code on a successful login response that has been made with compromised credentials use the px_compromised_credentials_returned_status_response field and set unauthorized HTTP status code such as 401.