Forum Discussion
Akhtar_109015
Nimbostratus
NimbostratusBlocking Session Management attacks on ASM
hello, We recently came to know the F5 ASM is not blocking session management attacks which discloses the admin username and password on reply.
May I know if this has something to do with attack signatures or through dynamic parameters.
Regards,
Akhtar
Michael_KoyfmanCirrocumulus
Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?
Akhtar_109015I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
Michael_Koyfma1Cirrus
Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?
- Akhtar_109015I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
- Akhtar_109015
Mike_MaherIs this running over HTTP or HTTPS? Is your concern for someone taking control of your browser and stealing the password?
samstepYou can encrypt the sensitive cookie using the HTTP Profile Cookie Encryption feature and you can mask the sensitive password in the response using DataGuard in ASM. Be careful though as DataGuard masking can actually break your application if it is actually expecting the administrator password to be present in clear-text in the response.
Sam
- Erik_Novak
Employee
Hello Akhtar, you might try to add the "pwdadmin2" parameter to your parameters list, and then configure it as a sensitive parameter on the Properties screen for it. You will have to test it then to make sure that masking it doesn't harm the functionality of your app.