Forum Discussion
NimbostratusF5 ASM Vulnerabilities
we did Pen Testing on our website which is behind F5 WAF last week & found the below vulnerabilities , How to prevent it using F5 WAF :
Session Fixation Vulnerability : the web application doesn’t validate the session IDs and, also doesn’t assign a different session ID when authenticating a user. An attacker could craft a custom session id and make the victim’s browser use it for the application authentication. The attacker could then hijack the user-validated session by the knowledge of the used session ID.
Session Hijacking Vulnerability:
the web application is vulnerable to session hijacking attacks. An attacker could capture a valid user’s session id and URL information to gain the same level of access to information and privileges as that of the user.
Simultaneous Session Logon :
the applications allow simultaneous logons for the same user, from same client IP address. User Session on a particular system will not terminate if any one of the session/browser is open. A malicious user who has physical access to the system could gain access to an already active session and perform actions as a legitimate user.
4 Replies
Hi, Please enable the login page enforcement feature within ASM. Cheers, Ido
SSHSSH_97332Login page enforcement will fix all the above ? i want to know how to fix the above
Yes, login page enforcement will fix the above.
- SSHSSH_97332
Thx the issue is that my application doesn't have specific login page . username & password Tabs are @ home page itself www.xyz.com so how can i apply login page enforcement ?
