Forum Discussion
Girishb401
Nimbostratus
NimbostratusCookie Does Not Contain The "secure" Attribute on ltm vip
Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)
Please refer the list as below
1.Cookie Does Not Contain The "secure" Attribute
2.Path-Based Vulnerability
3. Session Cookie Does Not Contain the "Secure" Attribute
4.Slow HTTP POST vulnerability
I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".
K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile
If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me
Kindly help me to fix this issue
Great thanks,
Girish
- Lidev
MVP
Hi,
If you don't use cookie persistence profile, you need to configure the BIG-IP ASM to use secure and HttpOnly cookie flag.
Check in your ASM Policy configuration, Security ›› Application Security : Headers : Cookies List ›› Edit Cookie
Girishb401OK..I am not sure about that we allowed to c provision a BIG-IP ASM (new) on F5 LB.
And I also checked with F5 TAC engineer and he suggested as below
"The security scan will test the traffic all the way through the virtual server, to the pool member. Since the BIG-IP virtual server is not generating the cookie, it must be the pool member server that is generating it. Therefore, the Qualys scan would be indicating that the vulnerable component is the server, NOT the BIG-IP virtual server."
So Finally he is pointing something to check on backend server.
so I am a bit confusion what decision need to take on this
- Lidev
Indeed, if you don't use the ASM module, you have to check this on the backend server, look at the configured Set-Cookie header (Secure; HttpOnly).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
Regards
