Security Parameters: Need to be apply to make secure solutions

Question

Hi,&nbsp;
We have BIG-IP LTM+ASM in HA, 13.1.0v latest version is running.&nbsp;
Standard type Virtual server is configured, TCP and HTTP profile is enabled.
SNAT Pool List is enalbed.
ASM Security Policy is applied to Specific VS.&nbsp;
Any one help me in below vulnerabilities ID, which is found when the solutions scanned by the Security team.&nbsp;
Cookie Does Not Contain The "secure" AttributeWeb Server Predictable Session ID VulnerabilityHTTP Security Header Not DetectedWeb Directories Listable Vulnerability

keesvandenbos · Answer

Hi,&nbsp;
Which cookie does not contain the "secure" attribute? Your BIG-IP persistence cookie? If so you should enable it on the cookie persistence profile. If it is the application cookie you should rewrite that cookie (with an irule) to insert the "secure" attribute.Is this for the webserver or for your BIG-IP persistence cookie? (if it is your BIG-IP persistence cookie, enable encryption on the cookie (I think you should alway's encrypt your BIG-IP persistence cookie))Enable HTTP Strict transport security on your BIG-IP HTTP Profile (or is there another header your security team want's to insert?)Did you enable the directory listing attack signatures in your ASM policy?
Cheers,&nbsp;
Kees&nbsp;

keesvandenbos · Answer

Hi,&nbsp;
Cookie encryption is disabled in the screenshot......&nbsp;
Is it the application cookie that shows the session ID? If so, you have to encrypt it by enabling cookie encryption in the HTTP profile.&nbsp;
Look at the bottom section of your HTTP profile. There you can find HTTP STS (Strict transport security)&nbsp;
When you go to Security &gt; Application Security &gt; Attack Signatures. Go to advanced filtering and type directory in the string search field and click go.&nbsp;
At the bottom of the page you will find the assigned attack signatures for directory listing mitigation.&nbsp;
Cheers,&nbsp;
Kees&nbsp;

Forum Discussion

Security Parameters: Need to be apply to make secure solutions

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Partner Solution Showcase - "ImmuniWeb - Application Security Testing and Remediation"

Using F5 Application Security and DoS Solutions with AWS Global Accelerator Part 1

Re: Comprehensive solution for OWASP Web App A09:2021 Security Logging & Monitoring Failures fro

Adaptive Apps: Automating NGINX Solution Deployments and API Publication - Solution Demo

Using F5 Application Security and DOS Solutions with AWS Global Accelerator - Part 2 Building a Lab