Forum Discussion

John_31769's avatar
John_31769
Icon for Nimbostratus rankNimbostratus
Mar 11, 2011

Set APM Cookies to HttpOnly

During an internal PEN test of our APM implementation, our Security group was able to inject some Java script and steal the 2 APM cookies MRHSession and Last_MRHSession. We think we could prevent this by setting these cookies to HttpOnly but this option is not available in APM. Anybody run across this issue and able to resolve? Wondering if there might be an iRule that could be used here - any feedback greatly appreciated!
app sec
BIG-IP Access Policy Manager (APM)
security

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 15, 2011
    Hi John,

     

     

    Was there an actual vulnerability in APM or the web app? Or how was someone able to inject Javascript?

     

     

    I believe the APM session cookies might need to be read via clientside script for some functionality, so I'm not sure setting the HttpOnly flag on both cookies would solve this issue in an acceptable manner.

     

     

    Aaron