This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG D BIGIP"
(→Description) |
(→Remediation) |
||
Line 53: | Line 53: | ||
* Log in to the Configuration utility. | * Log in to the Configuration utility. | ||
− | * Navigate Local Traffic > Profiles > | + | * Navigate Local Traffic > Profiles > Persistence. |
* Create new secure persistence profile with persistence type equals to "Cookie". | * Create new secure persistence profile with persistence type equals to "Cookie". | ||
* Check the custom box for "Cookie Name" and enter a cookie name that does not conflict with any existing cookie names. | * Check the custom box for "Cookie Name" and enter a cookie name that does not conflict with any existing cookie names. |
Revision as of 09:22, 19 December 2014
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
Summary
The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.
BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:
- Application Acceleration Manager (AAM)
- Advanced Firewall Manager (AFM)
- Access Policy Manager (APM)
- Application Security Manger (ASM)
- Global Traffic Manager (GTM)
- Link Controller (LC)
- Local Traffic Manager (LTM)
- Protocol Security Module (PSM)
Common Misconfigurations
BIG-IP persistence cookie information leakage
Description
An attacker can receive sensitive information about internal network via BIG-IP persistence cookie.
To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [1] in the following format: BIGipServer<pool name> = <coded server IP>.<coded server port>.0000
After decoding [2] value of the BIG-IP persistence cookie an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> suffix of the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network.
How to test
- Run intercepting proxy or traffic intercepting browser plug-in, trap all responses where a cookie is set by the web application.
- Log in to web application behing BIG-IP and inspect cookies.
- Find a cookie with name beginning with BIGipServer string or with value which has format as <coded server IP>.<coded server port>.0000 (e.g. 1677787402.36895.0000).
- Try to decode this value using available tools (e.g. WhiteHat Security Big IP Cookie Decoder).
- Inspect suffix of BIGipServer cookie name and verify that it does not contain any sensitive information about network infrustructure.
This example shows a GET request to BIG-IP with LTM module and a response containing BIGipServer cookie.
Example 1
GET /app HTTP/1.1 Host: x.x.x.x
Result Expected:
HTTP/1.1 200 OK Set-Cookie: BIGipServerOldOWASSL=110536896.20480.0000; path=/
Here we can see that pool has the meaningful name OldOWASSL and get the following destination server address:
- IP Address = 192.168.150.6
- Port = 80
Remediation
Configuring secure cookie persistence by using the BIG-IP Configuration utility
- Log in to the Configuration utility.
- Navigate Local Traffic > Profiles > Persistence.
- Create new secure persistence profile with persistence type equals to "Cookie".
- Check the custom box for "Cookie Name" and enter a cookie name that does not conflict with any existing cookie names.
- Check the custom box for "Cookie Encryption Use Policy" and choose a "required" option. Enter a passphrase in "Encryption Passphrase" field.
- Click on "Finished" button.
- Assign created persistence profile to virtual server.
Configuring cookie persistence by using the TMSH
- Log in to TMSH.
- Run the following commands:
- create ltm persistense cookie <profile_name>
- modify ltm persistense cookie <profile_name> cookie-name <secure_cookie_name>
- modify ltm persistense cookie <profile_name> cookie-encryption required
- modify ltm persistense cookie <profile_name> cookie-encryption-passphrase <secure_passphrase>
- modify ltm virtual <virtual_server> persist replace-all-with { <profile_name> }
Misconfiguration 2
...