LTM/ASM Prevent session hijacking using an iRule

Question

Hello all&nbsp;
We have noticed a security issue on our sharepoint website.
If a hacker manages to steal someone's FedAuth cookie (Sharepoint proprietary) and the TS* cookie (ASM), the ASM policy will not pick this up as session hijacking (since the info in the TS* cookie isn't modified) and the attacker will be able to circumvent having to log-in to the sharepoint website. Source IP info is not stored in this TS* cookie.&nbsp;
To have at least some sort of security in place for this particular issue we would like to have an iRule in place that does check the source IP of a request. If it sees that the same FedAuth and TS* cookie is being used in the request but from a different source IP, we want the iRule to redirect back to the login page or block the request all together.&nbsp;
My experience in creating iRules is rather limited so any help in setting up such a cookie would be very much appreciated!&nbsp;

andy_mcgrath · Answer

This is most likely not something you actually need to do. If someone managed to perform some man-in-the-middle attack or hijack a client system then very little you do on your side would be able to identify this to block access.&nbsp;
First you will have SSL/TLS (make this as strong as you can, highest protocol and cipher suite etc.) so the cookies and values will not be visible outside of the secure SSL/TLS connection.&nbsp;
The other issue with this is user's IP addresses do change, so if you lock each session to the source IP at login you are likely to find you will incorrectly kick-out user sessions.&nbsp;
Finally if you really need this to be secure I would look at F5 APM to provide additional security and authentication. For example you could have APM perform client side checking to ensure things like AV is running and up to date or even run a SSL VPN from client to APM to help mitigate the risk of a session being hijacked.&nbsp;

youssef1 · Answer

Hi,&nbsp;
it was a strange behaviour, before trying to fix your behavior using an irule or other we will just be sure that asm policy was correctly configured:&nbsp;
When you apply session hijacking (Preventing) ASM stores the device ID along with other client data (including the message key or session ID) in a cookie that remains with the client for the length of the HTTP session. The system periodically checks that the device ID of the client is the same one that was assigned when the session started.&nbsp;
So In all Case ASM will blocked user request because the system periodically checks that the device ID of the client is the same one that was assigned when the session started...&nbsp;
You confirm that in ASM (Security  ››  Application Security : Sessions and Logins : Session Tracking)&nbsp;
You apply:&nbsp;
Detect Session Hijacking by Device ID Tracking
Note: When you are using device ID to track traffic, make sure that the Accept XFF setting is enabled in the HTTP profile that is assigned to the virtual server.&nbsp;
set the blocking modes for the hijacking violation, click Security &gt; Application Security &gt; Policy Building &gt; Learning and Blocking Settings (select in ASM Cookie Hijacking violation Learn, Alarm, and Block. ).&nbsp;
For more info:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/15.html&nbsp;
Keep me in touch&nbsp;

kai_wilke · Answer

Hi Tom Lauwereins,
back in the days I wrote an iRule to use non-cookie information (e.g. Certificate, Source-IP) to protect sensitive session cookie information.
High Performance HMAC Cookie Signing
https://devcentral.f5.com/codeshare/high-performance-hmac-cookie-signing
Note: Use the CLIENT_ACCEPTED event of the provided iRule to use the client IP address as cookie binding. Change the cookie names in the RULE_INIT event to match your FedAuth cookie and enter a unique and random key for HMAC operations.
Note: Before using the HMAC verification iRule make sure to analyse your FedAuth cookie. If the FedAuth cookie value changes on every single response, then you should NOT use the iRule.
Note: Instead of using HMAC-verification (my solution uses RAM caches to speed up the verification) you could also develop an iRule which uses symetric encryption (this will require slightly more CPU instead of using RAM). The iRule would need to parse the response from your servers and intercept those requests which are setting the FedAuth cookie. You could then encrypt the cookie information in combination with the client IP (either as a pre- or suffix) before sending to the client. Whenenver the client sends the encrypted cookie on subsequent request to your F5, you need to decrypt it, verify the embedded client IP and finally inject the original cookie value back to the request.
Cheers, Kai

Forum Discussion

LTM/ASM Prevent session hijacking using an iRule

3 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Patching Won't Prevent Compromise & Repos Hijacking June 18th – 24th This Week in Security

Guarding Large Language Models: Advanced Approaches to Preventing Model Theft

Operationlizing Online Fraud Detection, Prevention, and Response

Re: Prevention of OWASP API Security API3:2019 Excessive Data Exposure using F5 XC

API Security Strategy - Discover and map APIs, block unwanted connection and prevent data leakage