Mitigate TokenChpoken attack on PeopleSoft

Problem this snippet solves:

The TokenChpoken attack, which affects systems that use Single Sign-On (SSO), is possible because an authentication cookie (PS_TOKEN) used by PeopleSoft applications can be forged.

The PS_TOKEN cookie is generated when a user first signs in to a PeopleSoft application. When users log in to a different server, the browser sends this cookie for authentication so that the user doesn’t have to enter his/her credentials again.

The complete description of the attack can be found here :

https://erpscan.com/press-center/blog/peoplesoft-security-part-3-peoplesoft-sso-tokenchpoken-attack/

How to use this snippet:

insert the code example in the Virtual Server that publish the PeopleSoft application.

External links

Github : https://github.com/e-XpertSolutions/f5

Code :

when RULE_INIT {
  set cookieToken "PS_TOKEN"
  # to be changed prior to any publishing
  set passphrase "hEuoYjmFUpB4PcpO3bUdQtLP4ic7jjm"
}
when HTTP_RESPONSE {
  if { [HTTP::cookie exists $cookieToken ] } {
    HTTP::cookie encrypt $cookieToken $passphrase
  }
}
when HTTP_REQUEST {
  if { [HTTP::cookie exists $cookieToken ] } {
    set decrypted [HTTP::cookie decrypt $cookieToken $passphrase]
    if { ($decrypted eq "") } {
      # Cookie wasn't encrypted, delete it
      HTTP::cookie remove $cookieToken 
    }
  }
}

Tested this on version:

11.5
Published Jun 03, 2016
Version 1.0
iRules
LTM
peoplesoft
security
tokenchpoken attack
No CommentsBe the first to comment