Forum Discussion

Girishb401's avatar
Girishb401
Icon for Nimbostratus rankNimbostratus
Mar 30, 2021

Cookie Does Not Contain The "secure" Attribute on ltm vip

Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)

 

Please refer the list as below 

1.Cookie Does Not Contain The "secure" Attribute

2.Path-Based Vulnerability

3. Session Cookie Does Not Contain the "Secure" Attribute

4.Slow HTTP POST vulnerability

 

 

I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".

 

K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile

 

If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me

 

Kindly help me to fix this issue

 

Great thanks,

Girish

application delivery
ASM Advanced WAF
F5 Distributed Cloud WAAP
irule
LTM
security
TMSH

2 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Apr 02, 2021

    F5 will add it's own cookie in one of the following scenerios

    • cookie persistence
    • ASM
    • APM
    • custom iRule adding a cookie

     

    If you have confirmed BIGIP is not adding any of the cookie then it must be set by the application. Ask security team for the cookie names which do not have secure/HTTPonly attributes set. If those are not added by BIGIP it can be fixed by the DEV/server team. Alternatively, BIGIP can also fix it by adding custom iRule to set these attributes in the HTTP RESPONSE event.