Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

About Session Hijacking

SanYang
Altocumulus
Altocumulus

‎31-Aug-2023 02:40

Hello,

I've been testing session hijacking lately.
Here is my setting

SanYang_0-1693474494660.png

SanYang_1-1693474516890.png

SanYang_2-1693474690520.png

I have found that when I change SESSION or TS01340bfb individually, F5 blocks it.
However, when I change both, it doesn't block it and I can run session hijacking successfully.

Why is this happening ... ?

 

Any help is appreciate.

 

Labels:
0 Kudos
4 REPLIES 4

Nikoolayy1
MVP
MVP

‎01-Sep-2023 02:01

Better see this as I do not see feature cookie only the main F5 cookie https://my.f5.com/manage/s/article/K6850

https://my.f5.com/manage/s/article/K95345460

 

Maybe enable session tracking and see that the SESSION cookie is enforced.

 

The ASM Feature cookies

The ASM Feature cookies are set for client requests when one or more BIG-IP ASM features are activated or enabled, such as the following policy features:

  • Login/Logout page enforcement
  • CSRF enforcement
  • Session tracking
  • Dynamic parameters
  • CAPTCHA enforcement

Nikoolayy1
MVP
MVP

‎05-Sep-2023 02:14

Did you test it? Also you can add session tracking by Device ID that is generated by the bot defense and this way if someone steals the 2 cookies they can't use them.

 

Still when you mentioned that when changing the 2 cookies F5 does not block you, well the idea is to someone not using real cookies that are not their own, so when you randomly changed the two cookies they are no longer a real TS or real sesson cookie that can be used.

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Nikoolayy1

‎05-Sep-2023 08:06

Funny, I came across the same issue recently in a customer scenario. @Nikoolayy1 is correct.
Here are my 5 cents.
1. Steal one cookie > ASM will block.
2. Steal both cookies > ASM won't block this, Session Hijacking is possible.
3. Enable a Bot Defense profile for this VS and configure it to create a Device ID.
4. Configure the following in the learning and blocking settings:

Daniel_Wolf_0-1693926288188.png

This way hijacking the session by stealing both cookies will fail.

KR
Daniel

Nikoolayy1
MVP
MVP
In response to Daniel_Wolf

‎05-Sep-2023 12:02

Also APM can be added so that each device to be checked if it is corporate https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/15.h...

 

Setting up ASM session tracking with APM

You can use session tracking to track, enforce, and report on user sessions and IP addresses. To perform tracking, you enable session awareness and indicate how to associate the application user name with the session.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Session Tracking .
    The Session Tracking screen opens.
  2. In the Session Tracking Configuration area, select the Session Awareness check box.
  3. From the Application Username list, select Use APM Usernames and Session ID.
  4.  
0 Kudos
Copyright © 2023 Khoros, LLC