Forum Discussion

PiotrL's avatar
Icon for Cirrus rankCirrus
Oct 03, 2019

ASM cookie, modifying "domain" field

Is it possible to modify "domain" field in the ASM cookie ?

As it appears ASM is using a hostname from http header, unfortunately the host is replaced to an internal hostname (required by an app) in an irule. So scanners point that this is a vulnerability.

2 Replies

  • Unfortunately this isn't a configurable option yet within ASM but it is a feature that has been requested.

    You would have to modify the cookie via iRule to get the result you want.

    == Sample iRule ==

    when RULE_INIT {
      # Cookie name prefix
      set static::ck_pattern "TS*"
      # Log debug to /var/log/ltm? 1=yes, 0=no
      set static::ck_debug 1
    when HTTP_REQUEST {
      set incoming_domain [HTTP::host]
      if {$static::ck_debug}{log local0. "incoming domain name: [HTTP::host]"}
      if {$static::ck_debug}{log local0. "Cookie names: [HTTP::cookie names]"}
      # Check if the cookie names in the response match our string glob pattern
      if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{
        # We have at least one match so loop through the cookie(s) by name
        if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {
          HTTP::cookie attribute $cookie_name remove domain
          HTTP::cookie attribute $cookie_name insert " Domain" ".$incoming_domain"
      if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Set-Cookie]"}
    • Sanket-9968's avatar
      Icon for Nimbostratus rankNimbostratus

      Thanks Andrew
      Is the configurable option within ASM is available now? I am using 16.1.4 image and need to modify the domain name set in the ASM cookie.