Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HaishanGuo
Staff
Staff

Created on ‎02-14-2022 06:55 PM

script for HTTP_DATA_REPLACE do not work

Version: v6.2.0 build 0210
Model: FAD VM

Description:  I try replace http body data in http response, the script is clone base on HTTP_DATA_FIND_REMOVE_REPLACE_DEMO

the script as:

when HTTP_RESPONSE{
--HTTP:collect command can be used in both HTTP_REQUEST
--and HTTP_RESPONSE events
--size is optional, otherwise, it will collect up to the full length
--or when 1.25M is reached

t={}
t["size"] = 100;
HTTP:collect(t)
}
when HTTP_DATA_RESPONSE{

--check the size of the content
t={};
t["operation"]="size";
sz=HTTP:payload(t);
debug("content size: %s\n", sz);

--replace a string or a regular expression in the buffered data by a new string
--offset, size and scope are optional, if scope is missing, "all" is assumed
t={};
t["operation"]="replace";
t["offset"] = 0;
t["size"] = sz;
t["scope"] = "all";-- or "first"
t["data"] = "http://cn.studyinchina.edu.cn";
t["new_data"] = "http://cn.proxy.studyinchina.edu.cn";
ret = HTTP:payload(t);
if ret then
debug("replaced %d occurences\n", ret);
else
debug("not found\n");
end
}

I also try 
t["data"] = "http://cn.studyinchina.edu.cn/cscse2020/lxjh/lxyk/402274/index.html";
t["new_data"] = "http://cn.proxy.studyinchina.edu.cn/cscse2020/lxjh/lxyk/402274/index.html";

but all two script can not trigger the replace action.
the website is:   www.cscse.edu.cn

Is there any wrong with my script ?
FortiADC-VM_20220214_0600.zip
cscse.txt
123 KB
cscse.jpg
942 KB
1810
0 Kudos
3 REPLIES 3
Ferry_k
Staff
Staff

Created on ‎02-16-2022 04:08 AM

Hi Haisan,

Can you validate that server-response is not compressed?
If that's the case you have to apply uncompression first to turn it into readable information before scritping.

------------------------------
Ferry
------------------------------
Ferry
Sr. Director Consulting Systems Engineering
1793
0 Kudos
HaishanGuo
Staff
Staff
In response to Ferry_k

Created on ‎02-16-2022 08:19 PM

Hi Ferry,

I'll confirm and try it later.

Thank you.
1793
0 Kudos
HaishanGuo
Staff
Staff
In response to HaishanGuo

Created on ‎02-17-2022 09:47 PM

Hi Ferry:

I tried another site , the script worded 

Thank you.

UploadedImages_YfyoUDLR02aN3RWnNISQ_replace-cscse-T.png
1793
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.