Cookie RFC compliant? Unusual use case

Question

I'm investigating some interesting security events when implementing ASM rules against a VIP. The ASM logs list an event that the request contains "Cookie not RFC-compliant" due to "Invalid character after cookie value". The example that is given is:&nbsp;
PrivacyStatementAccepted="{\"6382DAC1...0269CA1C\":1433895609216}"&nbsp;
where the invalid character starts at the '6' in ...="{\"6...&nbsp;
I understand that this is an unusual format, but the logic from the developer team is that the second (and third) double quote is escaped by the backslash and should not be considered the end of the cookie value. It seems like the cookie value is actually a name/value pair in this case. After reviewing the RFC and F5 SOL7776, I'm not trying to argue the intent of the RFC, but am wondering if there is a valid workaround in the ASM (other than disabling the alert) while we re-architect this cookie value.&nbsp;

erik_novak · Answer

Try going to Application Security: Headers: Character set and then locate the character / 0x2f (hex). Change the state to allow, and then see if the violation goes away. You should be able to allow / in the value of any header field--I think cookies as well.&nbsp;
Erik&nbsp;

erik_novak · Answer

Oops--Re-reading your question, it's the \ character that should be allowed...&nbsp;

tomh_185559 · Answer

Thanks Erik, but I think the issue is that there is no consideration by the F5 (or the RFC?) that a backslash is attempting to escape the second double quote. It's likely that the RFC considers all characters as plain text. So, the second double quote effectively 'ends' the value part of the name/value pair. The F5 expects the name/value separator (semi-colon in this case) I believe the event is triggered by this 'missing' separator.&nbsp;
I'm guessing that the web server simply passes all of these characters into the web app and it is up to the development team to parse it properly. I know this is not the best practice, but might be looking for a temporary workaround.&nbsp;
Thanks again.&nbsp;

erik_novak · Answer

I think you are correct. ASM does not consider a backslash as an escape. You could temporarily learn and alarm on the violation, but not block it...&nbsp;

boneyard · Answer

i don't believe there is a way to allow things like this in another way then disable the violation. f5 decided on what they consider RFC compliant and you can't tweak that.&nbsp;
you could consider building an irule which uses another ASM policy with this violation disabled only when this type of cookies is used.&nbsp;

Forum Discussion

Cookie RFC compliant? Unusual use case

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

Related Content

Example OWASP Top 10-compliant declarative WAF policy

A basic OWASP 2017 Top 10-compliant declarative WAF policy

How to deploy a basic OWASP Top 10 for 2021 compliant declarative WAF policy for BIG-IP

How to deploy a basic OWASP Top 10 for 2021 compliant declarative WAF policy for BIG-IP (Part 2)

Decoding the IPv4 address from the persistence cookie