Forum Discussion

Girishb401's avatar
Girishb401
Icon for Nimbostratus rankNimbostratus
Mar 30, 2021

Cookie Does Not Contain The "secure" Attribute on ltm vip

Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)

 

Please refer the list as below 

1.Cookie Does Not Contain The "secure" Attribute

2.Path-Based Vulnerability

3. Session Cookie Does Not Contain the "Secure" Attribute

4.Slow HTTP POST vulnerability

 

 

I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".

 

K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile

 

If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me

 

Kindly help me to fix this issue

 

Great thanks,

Girish

  • Hi,

    If you don't use cookie persistence profile, you need to configure the BIG-IP ASM to use secure and HttpOnly cookie flag.

    Check in your ASM Policy configuration, Security ›› Application Security : Headers : Cookies List ›› Edit Cookie

  • OK..I am not sure about that we allowed to c provision a BIG-IP ASM (new) on F5 LB.

     

    And I also checked with F5 TAC engineer and he suggested as below

     

    "The security scan will test the traffic all the way through the virtual server, to the pool member. Since the BIG-IP virtual server is not generating the cookie, it must be the pool member server that is generating it. Therefore, the Qualys scan would be indicating that the vulnerable component is the server, NOT the BIG-IP virtual server."

     

    So Finally he is pointing something to check on backend server.

     

    so I am a bit confusion what decision need to take on this