F5 AWAF provides robust cookie tampering protection, ensuring that hackers cannot alter the contents of cookies. This prevents session hijacking and the exposure of sensitive information.

In this section, we will demonstrate how F5 AWAF effectively prevents cookie tampering in web applications, enhancing overall security.

Table of Contents

Protect web applications against Cookie Tampering with F5 AWAF

Before we dive into demonstrating cookie tampering and how to prevent it using F5 AWAF, let’s first review the meaning and usage of cookies in web applications.

What are cookies and cookie attributes?

A cookie in web applications is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the server with subsequent requests. Cookies are used to manage state and track information about the user’s interactions with a web application.

cookies and cookie attributes
cookies and cookie attributes

A server can add several attributes to a cookie, such as ‘Secure‘, ‘HttpOnly‘, and ‘SameSite‘, which provide specific instructions to the client side:

  • The ‘Secure‘ attribute ensures that the cookie is only transmitted over secure HTTPS connections, protecting it from interception.

  • The ‘HttpOnly‘ attribute makes the cookie inaccessible via JavaScript, preventing client-side scripts from accessing it and thereby reducing the risk of XSS (Cross-Site Scripting) attacks.

  • The ‘SameSite‘ attribute restricts the cookie to be sent only with requests originating from the same site, helping to prevent CSRF (Cross-Site Request Forgery) attacks.

Demonstration of cookie tampering

To start the demonstration, we first create a security policy using a comprehensive security template. We set the enforcement mode to transparent initially to ensure that no traffic is blocked at the beginning.

create a security policy based on comprehensive template and transparent mode
create a security policy based on comprehensive template and transparent mode

In the next step, we navigate to the ‘Learning and Blocking Settings‘ section, where most security policy components are configured.

In the ‘Cookie‘ section, we notice that the learning mode is set to ‘Selective‘. This setting ensures that when a false positive related to a cookie occurs, the system will add an explicit policy for the new cookie.

We also enable ‘learn‘, ‘alarm‘, and ‘block‘ for all cookie violations, especially for ‘Modified ASM cookie‘ and ‘modified domain cookie(s)‘ which we demonstrate in this section.

enable learn_alarm and block for cookie violations in learning and blocking setting
enable learn_alarm and block for cookie violations in learning and blocking setting

While web application servers typically utilize their own cookies, known as domain cookies, for managing sessions, storing user preferences, and other purposes, F5 AWAF introduces its own cookies to offer enhanced security and additional features. These cookies, referred to as ASM cookies, provide application-agnostic features that improve the security of the web applications.

Then we log in to the DVWA web application.

login to DVWA web application
login to DVWA web application

Now, we’ll enable the proxy so that all web traffic related to f5demo.com is routed through mitmproxy.

In the previous lessons, we have covered configuring the Windows proxy to ensure that traffic from specific web applications is forwarded through the web proxy.

We run mitmproxy and crawl a page in the DVWA web application to make sure that the traffic is routed through the mitmproxy.

enable proxy for web applications with specific domains
enable proxy for web applications with specific domains

With “i” we enable interception to manipulate traffic and with “~u” we limit interception to traffic destined for f5demo.com.

intercept f5demo web traffic in mitmproxy
intercept f5demo web traffic in mitmproxy

Now if we click on a link in the DVWA web application, it will not open because it is intercepted by mitmproxy.

click a link in DVWA web application
click a link in DVWA web application

The traffic intercepted by mitmproxy is shown in red.

By pressing “e” and selecting “cookies” we edit the content of the cookies in the HTTP request.

By pressing “Enter” you can make changes in each cookie. After editing, select “Esc” to save the cookie change.

After editing with “a” we continue the traffic.

edit cookie named cookie hijacking and then resume manipluated traffic
edit cookie named cookie hijacking and then resume manipluated traffic

If we now check the security event log, you will notice that a “modified cookie” violation with violation rating 3 has already been generated.

event log generated after cookie hijacking
event log generated after cookie hijacking

If you remember, at the beginning we created the security policy. We changed the enforcement mode to transparent, so the violation is not blocked.

If we change the enforcement mode to blocking and perform the same process of cookie tampering, you will be blocked from accessing the web application.

change security policy from transparent to blocking
change security policy from transparent to blocking
coockie hijacking traffic is blocked in blocking mode
coockie hijacking traffic is blocked in blocking mode
cookie hijacking event log
cookie hijacking event log

F5 AWAF cookies learning and their properties

F5 AWAF maintains a list of learned cookies within the security policy under the “HTTP Message Protection” and “Cookies” sections.

Initially, only a wildcard cookie is present, enforcing the same security policy for all cookies. However, this list of cookies can be learned manually or automatically, similar to other HTTP components previously discussed.

For each cookie, administrators have the flexibility to configure various properties, including the enforcement type and staging mode, as we’ve discussed extensively.

Additionally, F5 AWAF offers the option to automatically insert its own ‘HttpOnly‘, ‘Secure‘, and ‘SameSite‘ attributes. We have just given the definition and usage of each of these attributes.

F5 AWAF cookie learning anf cookie properties
F5 AWAF cookie learning anf cookie properties
Back to: F5 BIG-IP AWAF (formerly ASM) (in Progress) > F5 AWAF Security Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment