We have recently installed a pair of F56400s (v9.4.3) in front of our website with ASM in blocking mode. Despite the fact that our Website only utilises a handful of cookies (all configured within the ASM) we are seeing and blocking loads of Modified Domain Cookie violations. It would appear that when users are visitng our website their browsers are trying to present cookies that are nothing to do with our domain whatsoever which the F5 is blocking because it, quite rightly, does not recognise the cookie as being from the application. This action, however, is blocking the users from our site Modified Cookie Violation is another standard ASM policy feature which we have not altered so, to my way of thinking, anyone with an F5 will be experiencing the same kind of problem. Does anyone have the same issue? Does anyone know why we are seeing this behaviour i.e. browsers trying to give us cookies we don't want. Any feedback/advice would be gratefully received

Hi David, By design for security reasons, a browser should never include a cookie in a request to one domain which was set for another domain. Is it possible that the cookies are being set on a different subdomain that is part of your root domain? If so, you could add them as allowed modified domain cookies in the ASM policy to tell ASM to ignore them. Can you post some anonymized examples of the requests? If you're not able to reproduce the issue, it might help to add an iRule which logs the cookies in requests and responses. You could modify a version of one of the Codeshare logging examples: http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpHeaders.html This rule would use a lot of CPU time, so be careful about adding it to a production virtual server. Also, there have been a lot of significant issues fixed in the latest version and hotfix (9.4.5 hotfix 2), so it would be a good idea to upgrade when possible. Aaron

Heres a couple of examples. First example: Cookie name = Finjan-Auth GET /savingapps/html/forms/savings_app_help/empdetails.html HTTP/1.0 Accept: */* Accept-Language: en-gb Cookie: Finjan-Auth=57lMEvEiJ4m0fM7nn5lHEVOBbvP6PdULKtwOztu7Ksq+w/0MRxa/uQoLytSjnmc0; SIVISITOR=MjIuNzIyLjExNzk5NTI2NjYxNTguMTIyNjUwMDI0ODIyMQ__; s_cc=true; s_sq=britbscoukprod%3D%2526pid%253Dhome.c_savings.product.notice_accounts.premsav.sav_app.html%2526pidt%253D1%2526oid%253Djavascript%25253Aaccounttype%252528%252527premsav%252527%252529%2526ot%253DA%2526oi%253D72; TS4b6c63=c278badda7d8ed901729b76101906803d9f41bcef991d297491ae896; IV_JCT=%2Fhome; JSESSIONID=0001dD8eCt-Apy_8TnmT9_u0G2c:-DG1FS6; PD_STATEFUL_1ebd5b44-3ba1-11dd-aa70-c0a84102aa77=%2Fsavingapps User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: www.britannia.co.uk Connection: Keep-Alive Second example: Cookie names (3 of them) L6289 _mkto_trk __utma GET /mortgageapp/css/layout/mbox.css HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5; en-gb) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1 Referer: https://www.britannia.co.uk/mortgageapp/mac_safari.html Accept: text/css,*/*;q=0.1 Accept-Language: en-gb Cookie: camp=sageampFFJUF584%60%60Mon%2C%2010%20Mar%202008%2014%3A26%3A03%20GMT%7CsageampPCJWO184%60%60Mon%2C%2010%20Mar%202008%2014%3A26%3A03%20GMT%7C; sageamp=sageampFFJUF584%7CsageampNLVOD421%7CsageampPCJWO184%7CsageampVUQND682%7CsageampLLOEC769%7CsageampUQGLM194%7C; s_pers=%20s_favsn_paypalglobal_1%3D1100029004737%7C1522106457646%3B; __utma=186137275.938163156.1209930838.1209930838.1209930838.1; s_vi=[CS]v1|48AD3FD4000045C0-A000BAF000009E1[CE]; AMOS_PREF=sac%3Dg3%252Ck36; _mkto_trk=id:841-CMW-048&token:_mch-co.uk-1223594949213-99427; L6289=1.1226588030336; SIVISITOR=NS43NjEuODM3MDI2NTY5OTkyMy4xMTk4NDA4MDk1NTQ2; IV_JCT=%2Fhome; s_cc=true; s_sq=britbscoukprod%3D%2526pid%253Dhome.mortgage.index.html%2526pidt%253D1%2526oid%253Djavascript%25253AmtgcalcquotepopUp%252528%252529%25253B%2526ot%253DA; PD_STATEFUL_125df088-1d16-11dd-9e46-c0a84102aa77=%2Fmortgageapp; TS4b6c63=fbbf9a6f4814833639a68c5e3589440e1d0f7873d98da270491aed97 Connection: keep-alive Host: www.britannia.co.uk Do these help?

It would be most helpful to see the response(s) where these cookies are being set. They may not be from your application, but could be from other applications on the britannia.co.uk domain. The __utma cookie is a Google Analytics cookie. The _mkto_trk cookie looks to be from a marketing company, Marketo. I couldn't find any info on the L6289 cookie. I'd guess it's something custom. If you're not worried about the client modifying these cookies, you could either configure them individually as allowed modified domain cookies, or you could disable checking of domain cookies altogether. Unless we know of a specific issue in the application we're configuring a policy for with badly encrypted cookies we normally disable this check anyhow. Aaron

Thanks for the response Aaron Where would I get the response information from that you seek? For information, the cookies are not from our applications - I've checked with our developers who confirm this. Therefore I'm confused as to why they are being presented to our F5s ? We do have the Modified Domian Cookie disabled at the moment - because we are getting hundreds of them (therefore hundreds of potential customers) blocked by the F5 policy. However, what level of risk are we running in not having this feature enabled? An independent consultant who reviewed our F5 policy recommended that it be enabled again as soon as we managed to sort out why we were seeing so many 'foreign' cookies.

What can be a workaround is an iRule that cleans all non-application/BIG-IP cookies from an HTTP request to this VS

Modified Domain Cookie blocking

alfian_3548
Nimbostratus
Jul 24, 2009
hi Aaron, i got same situation for this BCSI-* blocking. Did your script above has been tested and apply in production environment? how was the result? thx
AllynCarter_377
Nimbostratus
Jul 24, 2009
Hi,

I've been using a script very like the one Aaron suggested here in production for some time now. As well as the BCSI cookies, it also strips cookies beginning with TS, as I was having a similar problem with those.

It works fine for me.
hooleylist
Cirrostratus
Jul 24, 2009
alfian, the iRule should work fine. Though if you're on 9.4.2 or higher, you can configure a wildcard of BCSI-* in the allowed modified domain cookie setting.

Allyn, the TS cookies are what ASM uses to track the web app's cookies and other dynamic settings. You should ideally leave the TS cookies as they're used by ASM for validation. If you don't want to track any cookies, you can just disable the modified domain cookie violation in the blocking mask of the policy.

Aaron

hooleylist

Cirrostratus

Dec 13, 2010

That looks like it should work. You could add logging to see what's happening. If it's a production virtual server, try adding the logging just for your client IP.

You could combine the two iRules so you only loop through the cookies once:


when CLIENT_ACCEPTED {

    Check if the client is our test IP
   if {[IP::addr [IP::client_addr] equals 1.2.3.4]}{
      if {$debug}{log local0. "Debug enabled for [IP::client_addr]"}
      set debug 1
   } else {
      set debug 0
   }
}
when HTTP_REQUEST {

   if {$debug}{log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]"}

    Loop through each cookie by name
   foreach acookie [HTTP::cookie names] {

       Check if cookie starts with bcsi or _em_
      if {[string match -nocase "bcsi-*" $acookie] or [string match -nocase "_em_*" $acookie]}{

         if {$debug}{log local0. "Removing cookie $cookie: [HTTP::cookie value $cookie]"}

          Remove cookie
         HTTP::cookie remove $acookie
      }
   }
}

Aaron

alfian_3548
Nimbostratus
Dec 15, 2010
Aron

how about the combine script if i want to remove the logging? Thx
hooleylist
Cirrostratus
Dec 16, 2010
Hi Alfian,

You can either set debug to 0 or comment out/remove the lines which start with "if {$debug}{log local0. "

Aaron
alfian_3548
Nimbostratus
Dec 16, 2010
Aaron,

is this script ok?

when HTTP_REQUEST {

Loop through each cookie by name

foreach acookie [HTTP::cookie names] {

Check if cookie starts with bcsi or _em_

if {[string match -nocase "bcsi-*" $acookie] or [string match -nocase "_em_*" $acookie]}{

Remove cookie

HTTP::cookie remove $acookie

}

}

}
hooleylist
Cirrostratus
Dec 16, 2010
That looks great. Have you had a chance to test it?

Aaron

Forum Discussion

Modified Domain Cookie blocking

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

domain blocking

modified domain cookies

Enriching AFM with public domain Threat Intelligence

iRule to modify a content-security-policy header

Blocking domains

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS