Forum Discussion

Nimbostratus

Mar 11, 2011

Set APM Cookies to HttpOnly

During an internal PEN test of our APM implementation, our Security group was able to inject some Java script and steal the 2 APM cookies MRHSession and Last_MRHSession. We think we could prevent this...

app sec

BIG-IP Access Policy Manager (APM)

security

hooleylist

Cirrostratus

Mar 15, 2011

Hi John,

Was there an actual vulnerability in APM or the web app? Or how was someone able to inject Javascript?

I believe the APM session cookies might need to be read via clientside script for some functionality, so I'm not sure setting the HttpOnly flag on both cookies would solve this issue in an acceptable manner.

Aaron

Forum Discussion

Set APM Cookies to HttpOnly

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Set the SameSite Attribute for LTM Persistence Cookies

set HTTPOnly in cookie

Cookie Tampering Protection using F5 Distributed Cloud Platform

Cookie-based DDoS protection

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)