This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
SCG D BIGIP
Summary
The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.
BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:
- Application Acceleration Manager (AAM)
- Advanced Firewall Manager (AFM)
- Access Policy Manager (APM)
- Application Security Manger (ASM)
- Global Traffic Manager (GTM)
- Link Controller (LC)
- Local Traffic Manager (LTM)
- Protocol Security Module (PSM)
Common Misconfigurations
BIG-IP persistence cookie information leakage
Description
An attacker can decode BIG-IP persistence cookie and receive sensitive information about internal network.
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [1] in the following format: BIGipServer<pool name> = <coded server IP>.<coded server port>.0000
After decoding [2] this value an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> value in the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network.
How to test
- Run intercepting proxy or traffic intercepting browser plug-in, trap all responses where a cookie is set by the web application.
- Log in to web application behing BIG-IP and inspect cookies.
- Find a cookie with name beginning with BIGipServer string or with value which has format as <coded server IP>.<coded server port>.0000 (e.g. 1677787402.36895.0000).
- Try to decode this value using available tools (e.g. WhiteHat Security Big IP Cookie Decoder).
- Inspect suffix of BIGipServer cookie name and verify that it does not contain any sensitive information about network infrustructure.
EXAMPLE 1
This example shows a GET request to BIG-IP with LTM module and response containing BIGipServer cookie.
GET https://x.x.x.x/ HTTP/1.1 Host: x.x.x.x
Result Expected:
HTTP/1.1 200 OK Set-Cookie: BIGipServerOldOWA=110536896.20480.0000; path=/
Here we can see that pool has the meaningful name OldOWA and get the following destination server address:
- IP Address = 192.168.150.6
- Port = 80.
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".
To assess the vulnerability it is enough to change the value to false:
<security> <listUsers>false</listUsers> </security>
Misconfiguration 2
...