F5 AWAF - Preventing Session Hijacking

I’ve been focused these weeks in preventing session hijacking attacks with F5 BIG-IP AWAF where I’ve had to create a security policy to block this kind of attacks. First of all, it’s important to highlight that this kind of attack is really critical because an attacker can compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the web server. However, from my point of view, session hijacking attacks are not so easy to carry out. Actually, the session token could be compromised in different ways but none of them are easy to carry out. The most common are predictable session token, session sniffing, client-side attacks (XSS, malicious JavaScript codes, trojans, etc), man-in-the-middle attacks or man-in-the-browser attacks.

F5 BIG-IP AWAF mitigates the session hijacking attacks with a JavaScript challenge to obtain a unique device ID which represents the client device. This device ID is encrypted and stored into the ASM cookie which is sent by the client in each HTTP request. Therefore, the BIG-IP AWAF issues the JavaScript challenge to test the validity of the device ID in each HTTP request and if the result of the challenge is different to the device ID stored and encrypted in the ASM cookie, the system will consider the request to be an attack.

Configuring session hijacking protection is really easy in BIG-IP AWAF. Firstly, we have to enable Accept XFF in the HTTP profile when clients are behind an internal or other trusted proxy. Secondly, we have to enable the session hijacking feature which enables the system to send the JavaScript challenge, thus, the security policy blocks client browsers that do not support JavaScript even when the security policy is in transparent mode. Finally, we have to enable blocking modes for session hijacking violations such as “Modified ASM cookie”, “Modified domain cookie(s)” and “ASM Cookie Hijacking”.

I would like to share with you two videos where we can watch how we can configure session hijacking protection with F5 BIG-IP Advanced WAF (formerly ASM). I think these two videos explain really well what a session hijacking attack is, thanks to the hackazon virtual machine, and how to enable the session hijacking protection in F5 AWAF. The first video shows how to block a modified domain cookie while the second one shows how to block an ASM modified cookie.

What’s more, F5 has acquired Shape Security and Volterra recently to sell SaaS security services. As a result, F5 has created a new feature called Device ID+ which is similar to Device ID but the new one is delivered from the cloud and it uses machine learning to assign a unique identifier to each device visiting the web site. All customers have access to this service for free up to 20 millions of devices. Therefore, we should take into account that Device ID+ is not the same as Device ID. However, Device ID is do the same that “client fingerprinting” which is also used for Bot Defense, Brute Force Protection and Web Scraping.

Device ID+ data flow

Regards my friends! Do you have session hijacking vulnerabilities?