This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG D BIGIP"
(→Common Misconfigurations) |
(→Remediation) |
||
Line 102: | Line 102: | ||
==== Remediation ==== | ==== Remediation ==== | ||
− | It is recommended to | + | It is recommended to remove Server header from HTTP responses. |
Removing Server header via Configuration Utility. | Removing Server header via Configuration Utility. |
Revision as of 11:41, 22 December 2014
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
Summary
The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.
BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:
- Application Acceleration Manager (AAM)
- Advanced Firewall Manager (AFM)
- Access Policy Manager (APM)
- Application Security Manger (ASM)
- Global Traffic Manager (GTM)
- Link Controller (LC)
- Local Traffic Manager (LTM)
- Protocol Security Module (PSM)
Common Misconfigurations
BIG-IP persistence cookie information leakage
Description
An attacker can receive sensitive information about internal network via BIG-IP LTM persistence cookie.
To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [1] in the following format: BIGipServer<pool name> = <coded server IP>.<coded server port>.0000
After decoding [2] value of the BIG-IP persistence cookie an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> suffix of the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network. Besides, an attacker detects that BIG-IP system is used in network infrustructure.
How to test
- Run intercepting proxy or traffic intercepting browser plug-in, trap all responses where a cookie is set by the web application.
- If possible, log in to web application and inspect cookies.
- Find a cookie with name beginning with BIGipServer string or with value which has format as <coded server IP>.<coded server port>.0000 (e.g. 1677787402.36895.0000).
- Try to decode this value using available tools (e.g. WhiteHat Security Big IP Cookie Decoder).
- Inspect suffix of BIGipServer cookie name and verify that it does not contain any sensitive information about network infrustructure.
This example shows a GET request to BIG-IP with LTM module and a response containing BIGipServer cookie.
Example 1
GET /app HTTP/1.1 Host: x.x.x.x
Result Expected:
HTTP/1.1 200 OK Set-Cookie: BIGipServerOldOWASSL=110536896.20480.0000; path=/
Here we can see that pool has the meaningful name OldOWASSL and get the following destination server address:
- IP Address = 192.168.150.6
- Port = 80
Remediation
Configuring secure cookie persistence by using the Configuration utility
- Log in to the Configuration utility.
- Navigate Local Traffic > Profiles > Persistence.
- Create new secure persistence profile with persistence type equals to "Cookie".
- Check the custom box for "Cookie Name" and enter a cookie name that does not conflict with any existing cookie names.
- Check the custom box for "Cookie Encryption Use Policy" and choose a "required" option. Enter a passphrase in "Encryption Passphrase" field.
- Click on "Finished" button.
- Assign created persistence profile to virtual server.
Configuring cookie persistence by using the TMSH
- Log in to TMSH.
- Run the following commands:
- create ltm persistense cookie <profile_name>
- modify ltm persistense cookie <profile_name> cookie-name <secure_cookie_name>
- modify ltm persistense cookie <profile_name> cookie-encryption required
- modify ltm persistense cookie <profile_name> cookie-encryption-passphrase <secure_passphrase>
- modify ltm virtual <virtual_server> persist replace-all-with { <profile_name> }
BIG-IP HTTP Server header information leakage
Description
An attacker can receive information that a web application is protected by BIG-IP system via HTTP Server header.
BIG-IP system uses different HTTP Profiles for managing HTTP traffic. In particular, BIG-IP system uses HTTP Profile that specifies the string used as the server name in traffic generated by LTM. The default values are equal to "BigIP" or "BIG-IP" and depended on BIG-IP system version. An attacker can detect that BIG-IP is used in network infrustructure and then know role, type, and version of the BIG-IP system.
How to test
- Run intercepting proxy or traffic intercepting browser plug-in, trap all responses from a web application.
- If possible, log in to web application and inspect HTTP responses.
- If Server header contains "BIG-IP" or "BigIP" value then BIG-IP is used.
This example shows a GET request to BIG-IP and a response containing Server header inserted by BIG-IP LTM.
Example 2
GET / HTTP/1.1 Host: x.x.x.x
Result Expected:
HTTP/1.0 302 Found Server: BigIP Connection: Close Content-Length: 0 Location: /my.policy Set-Cookie: LastMRH_Session=05da1fc5;path=/;secure Set-Cookie: MRHSession=03e47713f1a8ef1aaa71cd9d05da1fc5;path=/;secure Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Remediation
It is recommended to remove Server header from HTTP responses.
Removing Server header via Configuration Utility.
- Log in to the Configuration utility.
- Navigate Local Traffic > Profiles > Services > HTTP.
- Create new secure HTTP profile.
- Enter empry string in "Server Agent Name" field.
- Click on "Finished" button.
- Assign created HTTP profile to virtual server.
Removing Server header via TMSH
- Log in to TMSH.
- Run the following commands:
- create ltm profile http <profile_name>
- modify ltm profile http <profile_name> server-agent-name none