Forum Discussion

AlgebraicMirror's avatar
AlgebraicMirror
Icon for Altostratus rankAltostratus
Jun 11, 2015

Does anyone know how the ASM Cookie Protection Configuration file is structured?

Hi. Does anyone know how the ASM Cookie Protection Configuration file is structured? This is the file you get when you navigate (in v11.5.3) to Security -> Options -> Application Security -> Advanced Configuration -> Cookie Protection on the GUI, and then click the "export" button. According to the GUI Help menu, the export button does this:

 

Click the Export button to save the cookie protection configuration file, that contains the algorithm and key, from this system on a remote system or some other location.

 

The file generated appears to be base 64 encoded, but when I decode it it looks like gibberish. I would expect the key part to be gibberish, but I thought part of the file at least might be intelligible, or delimited in some way so that I could tell the difference between the key part and the algorithm part. Does anyone know which part is the key and which part is the algorithm? My goal in asking is that I've had ASM cookie problems in the past, and when I stumbled across this today I thought it would be really cool to extract the algorithm and key so that I could decrypt the cookie in future troubleshooting sessions and see what is inside it and what caused things to break. Plus I'm just really curious and want to know more about how cookie protection works in general (deeper than just saying hey, looks like there's a "ts_" cookie in this fiddler capture!).

 

1 Reply

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account

    Please refer to the documentation here for your specific questions: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/26.html

     

    Here is some additional information regarding how the cookies are generated.

     

    There are two types of ASM cookies: A. The Main cookie Validates the domain cookies Detect session expiration Validates rest of ASM cookies (frame cookies) B. The Frame cookie (which can be a flow frame cookie or extraction frame cookie.)

     

    ASM Cookie Name: TSxxxxxx -> The x are the first 6 hex digits of the web application name crc64 except i. If the TS cookie is a path TS cookie he cookie name will be modified to include the path cookie crc into it. ii. If the TS cookie has a domain attributethe cookie name will be calculated from the host crc. iii. If subdomain is defined in the policy, the TS cookie will be added the domain attribute and the cookie name will be calculated along with the relevant host domain

     

    Main ASM Cookie Structure:

     

    i) Signature - MD5 hashing of the rest of the cookie. ii) Message Key - a random sequence of bytes used to connect the main cookie with the other ASM cookies on the request. iii) Time Stamp - indicates the time when the cookie was created. Used in order to verify the cookies are not too old. By using the message key, frame cookie's age can be verified as well. iv) Cookies Name/Value CRC pairs - for each set cookie commands ASM sees in the response, a pair of two 8 bytes CRCs is created: one for the name and one for the value. Those pairs are concatenated at the end of the cookie.

     

    cookie_digest_key Internal parameter:

     

    This parameter is used as a key in the cookie digest calculations. This parameter can contain up to 32 chars. Changing this parameter will change the digest result - this may be used to change resulting values between different ASM installations.

     

    Note - if one changes this internal parameter a request that comes in with TS cookies that were built using the old digest will get MODIFIED ASM COOKIE violation.