Forum Discussion
Mohammed_M_Irfa
Nimbostratus
NimbostratusSecurity Parameters: Need to be apply to make secure solutions
Hi,
We have BIG-IP LTM+ASM in HA, 13.1.0v latest version is running.
Standard type Virtual server is configured, TCP and HTTP profile is enabled. SNAT Pool List is enalbed. ASM Security Policy is applied to Specific VS.
Any one help me in below vulnerabilities ID, which is found when the solutions scanned by the Security team.
- Cookie Does Not Contain The "secure" Attribute
- Web Server Predictable Session ID Vulnerability
- HTTP Security Header Not Detected
- Web Directories Listable Vulnerability
Hi,
- Which cookie does not contain the "secure" attribute? Your BIG-IP persistence cookie? If so you should enable it on the cookie persistence profile. If it is the application cookie you should rewrite that cookie (with an irule) to insert the "secure" attribute.
- Is this for the webserver or for your BIG-IP persistence cookie? (if it is your BIG-IP persistence cookie, enable encryption on the cookie (I think you should alway's encrypt your BIG-IP persistence cookie))
- Enable HTTP Strict transport security on your BIG-IP HTTP Profile (or is there another header your security team want's to insert?)
- Did you enable the directory listing attack signatures in your ASM policy?
Cheers,
Kees
Hi,
Cookie encryption is disabled in the screenshot......
Is it the application cookie that shows the session ID? If so, you have to encrypt it by enabling cookie encryption in the HTTP profile.
Look at the bottom section of your HTTP profile. There you can find HTTP STS (Strict transport security)When you go to Security > Application Security > Attack Signatures. Go to advanced filtering and type directory in the string search field and click go.
At the bottom of the page you will find the assigned attack signatures for directory listing mitigation.Cheers,
Kees
