F5 ASM – Cookie and HTTP Header Tampering
Many web applications set cookies for user tracking, shopping cart functionality, and other reasons related to the user experience. These cookies have to be secured because if they are not properly protected, a malicious hacker could steal or modify cookies for unauthorized access or unrequested purchases. Today, Web Application Firewalls (WAF) help us to secure cookies adding cookie attributes such as the secure attribute, the HttpOnly attribute, Domain and Path attributes, Expire and Max-Age attributes, etc as well as WAFs are also able to sign cookies which are useful to protect web applications from attacks like Cookie Tampering or HTTP Request Header Tampering.
Next, we can watch a video where there is a vulnerable web application to Cookie Tampering. First, I have modified the cookie and sent to the web application successfully. Afterwards, I have protected the web application from Cookie Tampering attacks with F5 BIG-IP ASM. Finally, cookie tampering attacks are unsuccessfully because ASM blocks modified cookies which has been enforced and signed by the WAF security policy. Therefore, it will be a good idea to know what cookies web applications use to enforce those which should not be modified on the client side.
Next, there is another video where the web application is also vulnerable to HTTP Request Header Tampering. First, I have modified the referer HTTP Header to take advantage of the ShellShock vulnerability, which is not blocked. Afterwards, I have enforced the attacks signatures “bash Shellshock execution attempt” and “/bin execution attempt”. Finally, HTTP Request Header Tampering attacks are unsuccessfully because ASM detects malicious strings, which are used to exploit the Shellshock vulnerability, into the referer HTTP Header. Therefore, it will be a good idea to enforce attack signatures in the WAF security policy.
To sum up, we can use a WAF to protect web applications from Cookie Tampering and HTTP Request Tampering which are attacks difficult to block by a traditional network firewall. In this post, we have seen that a manually security policy with Selective Learning for Cookies and Attack Signatures enforced in the WAF security policy is the best configuration to block sophisticated attacks, which want to take advantage of Cookies and Other HTTP Headers to get into web applications.
Regards my friends. Keep reading and keep studying!!