CloudBleed: Guess What? There was 0-day protection

About CloudBleed If you aren’t familiar with CloudBleed, take a moment to read the following articles to get an understanding how it was found, what happened, and what PII/PCI data was (possibly) ...
Published Feb 27, 2017
Version 1.0
dcsecurity17
security
WebSafe
chris888_147181's avatar
chris888_147181
Icon for Nimbostratus rankNimbostratus
Feb 28, 2017

I'd actually not come across this feature before. I was also thinking about the other aspect of Cloudbleed as I was not quite sure how this would have been able to mitigate session/auth tokens being captured and re-used. Just in terms of say actually passing a username and password - when it comes to overall transaction volume it's probably quite low, but then subsequent authenticated requests would be done with the cookie and so that's the bit I was wondering how to mitigate with F5.

 

So a quick for search for ASM session hijacking search turned up a page on the support site which talks about exactly how this is achieved. The Client-ID is a very elegant solution. I am not overly familiar with ASM but it certainly addresses my concern of it just being the same cookie passed every time.

 

It seems we need more Application Layer Encryption in the world!

 

PS - Sorry for separate comment, but for some reason it was flagged as spam otherwise.