Forum Discussion
boneyard
Jun 07, 2012MVP
ASM violation: Modified domain cookie(s)
im getting this violation, from the info provided by the ASM it seems to happen when the cookie is first set, am i correct on that? it feels like this is a quite common thing to happen, is it some you turn default on for * or only for cookies you know shouldnt change?
- BT_90520NimbostratusModified domain cookie is the minimal violation that we should really catch - that is actually tampering the actual web application cookie like your jsession, php_session etc. There are more to track (see below link) but personally, that is mandatory since it is user appl and specifically configured to track the trusted session. The moment session cookie is tampered, quite a few abuse cases can happened like session replay, hijack etc. Even XSS like to reveal session cookie
- BT_90520Nimbostratusyou may be interested in this DC discussion
- thank you for the links, they cleared some things up for me. could you guide me a bit more to what im seeing in the ASM Reporting output, because it seems there the issue lies with some basic cookie behaviour.
- BT_90520Nimbostratusif you take a look at the ASM policy>blocking>settings, those violation is alerted as you enable it under the option " Modified domain cookie(s)", or even subsequent for other cookie violation " ASM Cookie Hijacking", and "Modified ASM cookie". importantly, they are triggered as you configured in the Headers : Cookies : Cookies. There is the two type of cookie which will trigger the violation. Esp on the Enforced cookie
- BT_90520Nimbostratusactually if you look into ASM attack signature db, do a custom search with string like cookie, you can find the various web attack related attempt e.g. one of them is document.cookie (Headers) as XSS attempt. There are more notes to other online resources and more info...There is info titled with
- i understand the risks of clients changing a cookie, but apparently it also is a regularly used way to achieve certain functionality right?
- BT_90520Nimbostratusthe cookie itself when generated by web server will already be signed and recognised as legit ones when passed back to client. So during client session, the cookie presented will have to be the same one and that is verified by ASM. Client will not intentionally tamper with it since it is not even obvious ... The challenge will be more from if attacker try to steal cookie, replay session and copied session cookie but that can be handled by having secure cookie, session timeout and even CSRF preventive measures.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects