Forum Discussion
NimbostratusBlocking Session Management attacks on ASM
hello, We recently came to know the F5 ASM is not blocking session management attacks which discloses the admin username and password on reply.
May I know if this has something to do with attack signatures or through dynamic parameters.
Regards,
Akhtar
8 Replies
Erik_NovakEmployee
Hello Akhtar, you might try to add the "pwdadmin2" parameter to your parameters list, and then configure it as a sensitive parameter on the Properties screen for it. You will have to test it then to make sure that masking it doesn't harm the functionality of your app.
samstepCirrocumulus
You can encrypt the sensitive cookie using the HTTP Profile Cookie Encryption feature and you can mask the sensitive password in the response using DataGuard in ASM. Be careful though as DataGuard masking can actually break your application if it is actually expecting the administrator password to be present in clear-text in the response.
Sam
Akhtar_109015
Mike_MaherIs this running over HTTP or HTTPS? Is your concern for someone taking control of your browser and stealing the password?
Michael_KoyfmanCan you please explain the exact nature of the attack you are referring to? What exactly are you observing?
- Akhtar_109015I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
- Michael_Koyfma1
Cirrus
Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?
- Akhtar_109015I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
