Forum Discussion
Blocking Session Management attacks on ASM
hello, We recently came to know the F5 ASM is not blocking session management attacks which discloses the admin username and password on reply.
May I know if this has something to do with attack signatures or through dynamic parameters.
Regards,
Akhtar
- Michael_KoyfmanCirrocumulus
Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?
- Akhtar_109015NimbostratusI have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?
- Akhtar_109015NimbostratusI have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
- Akhtar_109015Nimbostratus
- Mike_MaherNimbostratusIs this running over HTTP or HTTPS? Is your concern for someone taking control of your browser and stealing the password?
- samstepCirrocumulus
You can encrypt the sensitive cookie using the HTTP Profile Cookie Encryption feature and you can mask the sensitive password in the response using DataGuard in ASM. Be careful though as DataGuard masking can actually break your application if it is actually expecting the administrator password to be present in clear-text in the response.
Sam
- Erik_NovakEmployee
Hello Akhtar, you might try to add the "pwdadmin2" parameter to your parameters list, and then configure it as a sensitive parameter on the Properties screen for it. You will have to test it then to make sure that masking it doesn't harm the functionality of your app.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com