This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG D BIGIP"
(→Description) |
|||
Line 18: | Line 18: | ||
==== Description ==== | ==== Description ==== | ||
− | An attacker can | + | An attacker can receive sensitive information about internal network via BIG-IP persistence cookie. |
To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html] in the following format: | To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html] in the following format: | ||
BIGipServer<pool name> = <coded server IP>.<coded server port>.0000 | BIGipServer<pool name> = <coded server IP>.<coded server port>.0000 | ||
− | After decoding [https://blog.whitehatsec.com/f5-networks-big-ip-cookie-decoded/] | + | After decoding [https://blog.whitehatsec.com/f5-networks-big-ip-cookie-decoded/] value of the BIG-IP persistence cookie an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> suffix of the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network. |
==== How to test ==== | ==== How to test ==== |
Revision as of 04:03, 19 December 2014
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
Summary
The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.
BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:
- Application Acceleration Manager (AAM)
- Advanced Firewall Manager (AFM)
- Access Policy Manager (APM)
- Application Security Manger (ASM)
- Global Traffic Manager (GTM)
- Link Controller (LC)
- Local Traffic Manager (LTM)
- Protocol Security Module (PSM)
Common Misconfigurations
BIG-IP persistence cookie information leakage
Description
An attacker can receive sensitive information about internal network via BIG-IP persistence cookie.
To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [1] in the following format: BIGipServer<pool name> = <coded server IP>.<coded server port>.0000
After decoding [2] value of the BIG-IP persistence cookie an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> suffix of the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network.
How to test
- Run intercepting proxy or traffic intercepting browser plug-in, trap all responses where a cookie is set by the web application.
- Log in to web application behing BIG-IP and inspect cookies.
- Find a cookie with name beginning with BIGipServer string or with value which has format as <coded server IP>.<coded server port>.0000 (e.g. 1677787402.36895.0000).
- Try to decode this value using available tools (e.g. WhiteHat Security Big IP Cookie Decoder).
- Inspect suffix of BIGipServer cookie name and verify that it does not contain any sensitive information about network infrustructure.
This example shows a GET request to BIG-IP with LTM module and a response containing BIGipServer cookie.
Example 1
GET /app HTTP/1.1 Host: x.x.x.x
Result Expected:
HTTP/1.1 200 OK Set-Cookie: BIGipServerOldOWASSL=110536896.20480.0000; path=/
Here we can see that pool has the meaningful name OldOWASSL and get the following destination server address:
- IP Address = 192.168.150.6
- Port = 80
Remediation
Configuring secure cookie persistence by using the BIG-IP Configuration utility
- Log in to the Configuration utility.
- Navigate Local Traffic > Profiles > Persistent.
- Create new secure persistence profile with persistence type equals to "Cookie".
- Check the custom box for "Cookie Name" and enter a cookie name that does not conflict with any existing cookie names.
- Check the custom box for "Cookie Encryption Use Policy" and choose a "required" option. Enter a passphrase in "Encryption Passphrase" field.
- Click on "Finished" button.
- Assign created persistence profile to virtual server.
Configuring cookie persistence by using the TMSH
- Log in to TMSH.
- Run the following commands:
- create ltm persistense cookie <profile_name>
- modify ltm persistense cookie <profile_name> cookie-name <secure_cookie_name>
- modify ltm persistense cookie <profile_name> cookie-encryption required
- modify ltm persistense cookie <profile_name> cookie-encryption-passphrase <secure_passphrase>
- modify ltm virtual <virtual_server> persist replace-all-with { <profile_name> }
Misconfiguration 2
...