F5 ASM – Enforced & Allowed cookies

I’ve been working these weeks with a customer who needs to protect cookies. Initially, something was not working properly with users’ sessions and we needed to protect services. However, after testing and testing, we got it thanks to the enforced and allowed cookie feature in F5 BIG-IP ASM. If you have created a basic security policy such as a Rapid Deployment Policy, you are not protecting cookies, but if you have created an advanced security policy and you want to protect cookies, you’ll need to know how F5 BIG-IP ASM works with enforced cookies and allowed cookies.

When we create a security policy with cookie selective, we are going to see in the traffic learning section all cookies needed by the application. In fact, the traffic learning is going to suggest if we want to enforce cookies. The F5 Knowledge Center is really useful. We can read that enforced cookies may not be changed by the client. Therefore, we should configure enforced cookies for Preventing Session Hijacking. As a result, if an attacker steal a cookie or modify a cookie, there will be an alarm like “Modified domain cookie(s)”

On the other hand, we can also configure the cookie as allowed instead of enforced. Once again, if we go to the F5 Knowledge Center, we can read that allowed cookies are ignored by the system and they can be changed by the client. Therefore, if you want to configure cookie hijacking protection, you should configure your cookies as enforced instead of allowed. However, we can also protect cookies when they can be changed by the client. I mean, we can check the cookies’ value to know if users are inserting malicious code in the cookie. This is really useful and easy with attack signatures.

The best way to know how enforced cookies and allowed cookies work is watching a video. I’ve recorded a video where you can watch an example of cookie protection. Firstly, I’ve checked hackazon has a cookie hijacking vulnerability. Secondly, I’ve configured session hijacking protection in F5 BIG-IP ASM. Thirdly, we can watch how F5 BIG-IP detects and blocks the attack with an enforced cookie. Fourthly, we can watch that the allowed cookie doesn’t detect and block the cookie hijacking attack. Finally, we can watch an XSS attack which can be blocked with the allowed cookie configuration.

To sum up, there are two options for configuring cookie protection in F5 BIG-IP ASM. The first one, or the enforced cookie, is useful when we want to prevent cookie hijacking attacks. We are going to configure this option when clients should not change cookies. On the other hand, the allowed cookie is useful when clients can change cookies but we want to protect these changes from attacks.

Regards my friends! Have you ever configured cookie protection?