Forum Discussion
PiotrL
Cirrus
CirrusASM cookie, modifying "domain" field
Is it possible to modify "domain" field in the ASM cookie ?
As it appears ASM is using a hostname from http header, unfortunately the host is replaced to an internal hostname (required by an app) in an irule. So scanners point that this is a vulnerability.
2 Replies
Andrew-F5Employee
Unfortunately this isn't a configurable option yet within ASM but it is a feature that has been requested.
You would have to modify the cookie via iRule to get the result you want.
== Sample iRule ==
when RULE_INIT { # Cookie name prefix set static::ck_pattern "TS*" # Log debug to /var/log/ltm? 1=yes, 0=no set static::ck_debug 1 } when HTTP_REQUEST { set incoming_domain [HTTP::host] if {$static::ck_debug}{log local0. "incoming domain name: [HTTP::host]"} } when HTTP_RESPONSE_RELEASE { if {$static::ck_debug}{log local0. "Cookie names: [HTTP::cookie names]"} # Check if the cookie names in the response match our string glob pattern if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{ # We have at least one match so loop through the cookie(s) by name if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"} foreach cookie_name $cookie_names { HTTP::cookie attribute $cookie_name remove domain HTTP::cookie attribute $cookie_name insert " Domain" ".$incoming_domain" } } if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Set-Cookie]"} }
Sanket-9968Nimbostratus
Thanks Andrew
Is the configurable option within ASM is available now? I am using 16.1.4 image and need to modify the domain name set in the ASM cookie.
