Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Cookie Does Not Contain The "secure" Attribute on ltm vip

Girishb401
Nimbostratus
Nimbostratus

‎30-Mar-2021 10:09

Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)

 

Please refer the list as below 

1.Cookie Does Not Contain The "secure" Attribute

2.Path-Based Vulnerability

3. Session Cookie Does Not Contain the "Secure" Attribute

4.Slow HTTP POST vulnerability

 

 

I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".

 

K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile

 

If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me

 

Kindly help me to fix this issue

 

Great thanks,

Girish

Labels:
0 Kudos
2 REPLIES 2

SanjayP
MVP
MVP

‎02-Apr-2021 08:04

F5 will add it's own cookie in one of the following scenerios

  • cookie persistence
  • ASM
  • APM
  • custom iRule adding a cookie

 

If you have confirmed BIGIP is not adding any of the cookie then it must be set by the application. Ask security team for the cookie names which do not have secure/HTTPonly attributes set. If those are not added by BIGIP it can be fixed by the DEV/server team. Alternatively, BIGIP can also fix it by adding custom iRule to set these attributes in the HTTP RESPONSE event.

Not applicable

‎26-Apr-2021 17:22

Closing as duplicate with https://devcentral.f5.com/s/feed/0D51T00008GZjNySAL

0 Kudos
Copyright © 2023 Khoros, LLC