Mitigate TokenChpoken attack on PeopleSoft

Problem this snippet solves:

The TokenChpoken attack, which affects systems that use Single Sign-On (SSO), is possible because an authentication cookie (PS_TOKEN) used by PeopleSoft applications can be forged.

The PS_TOKEN cookie is generated when a user first signs in to a PeopleSoft application. When users log in to a different server, the browser sends this cookie for authentication so that the user doesn’t have to enter his/her credentials again.

The complete description of the attack can be found here :

How to use this snippet:

insert the code example in the Virtual Server that publish the PeopleSoft application.

External links

Github :

Code :

when RULE_INIT {
  set cookieToken "PS_TOKEN"
  # to be changed prior to any publishing
  set passphrase "hEuoYjmFUpB4PcpO3bUdQtLP4ic7jjm"
  if { [HTTP::cookie exists $cookieToken ] } {
    HTTP::cookie encrypt $cookieToken $passphrase
  if { [HTTP::cookie exists $cookieToken ] } {
    set decrypted [HTTP::cookie decrypt $cookieToken $passphrase]
    if { ($decrypted eq "") } {
      # Cookie wasn't encrypted, delete it
      HTTP::cookie remove $cookieToken 

Tested this on version:

Published Jun 03, 2016
Version 1.0

Was this article helpful?

No CommentsBe the first to comment