For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cooler_184565's avatar
Cooler_184565
Icon for Nimbostratus rankNimbostratus
Jan 29, 2015

Doubt to append cookie in header

Hi there,

 

I was wondering if you guys could help me with some doubts

 

I'm having with the creation of some iRules to protect some vulnerabilities

 

In this particular case I need to add the HttpOnly and Secure flags in a session cookie, so I created this iRule:

 

 foreach cookie [HTTP::cookie names] {
set value [HTTP::cookie value $cookie];
if { "" != $value } {
set testvalue [string tolower $value]
set valuelen [string length $value]
log local0. "Cookie found: $cookie = $value";
switch -glob $testvalue {
"*;secure*" -
"*; secure*" { }
default { set value "$value; Secure"; }
}
switch -glob $testvalue {
"*;httponly*" -
"*; httponly*" { }
default { set value "$value; HttpOnly"; }
}
}
if { [string length $value] > $valuelen} {
log local0. "Replacing cookie $cookie with $value"
HTTP::cookie value $cookie "${value}"
}
}

Is that the best way to avoid this vulnerability ? Would you guys have any other suggestions to improve this code? Is it there another way to mitigate this vulnerability ?

 

Best Regards

 

application delivery
ASM Advanced WAF
devops
iRules
management
security

1 Reply

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jan 30, 2015

    I think you could use HTTP::cookie, you can set the httponly and secure flags on each of the cookies manually if you want. And you'd want to do that on the HTTP_RESPONSE event.

    when HTTP_RESPONSE {
    foreach cookie [HTTP::cookie names] {
        HTTP::cookie secure $cookie enable
        HTTP::cookie httponly $cookie enable
    }
}