For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Mitigate TokenChpoken attack on PeopleSoft

Problem this snippet solves:

The TokenChpoken attack, which affects systems that use Single Sign-On (SSO), is possible because an authentication cookie (PS_TOKEN) used by PeopleSoft applications can be forged.

The PS_TOKEN cookie is generated when a user first signs in to a PeopleSoft application. When users log in to a different server, the browser sends this cookie for authentication so that the user doesn’t have to enter his/her credentials again.

The complete description of the attack can be found here :

https://erpscan.com/press-center/blog/peoplesoft-security-part-3-peoplesoft-sso-tokenchpoken-attack/

How to use this snippet:

insert the code example in the Virtual Server that publish the PeopleSoft application.

External links

Github : https://github.com/e-XpertSolutions/f5

Code :

when RULE_INIT {
  set cookieToken "PS_TOKEN"
  # to be changed prior to any publishing
  set passphrase "hEuoYjmFUpB4PcpO3bUdQtLP4ic7jjm"
}
when HTTP_RESPONSE {
  if { [HTTP::cookie exists $cookieToken ] } {
    HTTP::cookie encrypt $cookieToken $passphrase
  }
}
when HTTP_REQUEST {
  if { [HTTP::cookie exists $cookieToken ] } {
    set decrypted [HTTP::cookie decrypt $cookieToken $passphrase]
    if { ($decrypted eq "") } {
      # Cookie wasn't encrypted, delete it
      HTTP::cookie remove $cookieToken 
    }
  }
}

Tested this on version:

11.5
Published Jun 03, 2016
Version 1.0
iRules
LTM
peoplesoft
security
tokenchpoken attack
No CommentsBe the first to comment