Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Cookies in F5 ASM/AWAF Security

F5 ASM/AWAF employs cookies as part of its security features to prevent cookie tampering, enforce user sessions, protect login pages, and detect and mitigate threats such as web scraping and bot attacks. These cookies play a critical role in maintaining the integrity of web application security by distinguishing between human and non-human clients (e.g., bots). The system categorizes cookies into allowed cookies and enforced cookies to regulate their behavior within the application.

Cookie Categories:

  1. Allowed Cookies:

    • These cookies can be modified or changed on the client side (user's browser).

    • These are typically used for non-critical application functionality or for storing user preferences that don’t affect the overall security of the application.

    • Configuration path: Application Security > Headers > Cookies List > Allowed Cookies

  2. Enforced Cookies:

    • These cookies must be unique and cannot be modified on the client side. They are essential for security and functionality, such as user sessions, tracking, and bot detection.

    • Configuration path: Application Security > Headers > Cookies List > Enforced Cookies

Types of Cookies Set by BIG-IP ASM/AWAF:

  1. Main Cookie:

    • Name: TSxxxxxxxx

    • This is the core cookie used by the system for general session management and security enforcement. It is important for tracking user sessions.

  2. Feature Cookies:

    • Name: TSxxxxxxxxd

    • The "d" in the suffix represents a specific feature type. These cookies are used for enabling various security features and tracking associated with certain application behaviors.

  3. Frame Cookies:

    • Name: TSxxxxxxxxd

    • Similar to feature cookies but used to track specific frame numbers or elements in multi-frame applications.

  4. Proactive Cookies:

    • Names: TSPD_101, TSPD

    • These cookies are used to implement proactive security measures like session tracking and cross-domain flows:

      • TSPD_101: Related to client-side challenges like session tracking.

      • TSPD: Used for managing cross-domain flows.

Cookie Flags (Attributes):

The attributes or flags associated with cookies enhance their security and behavior. These include:

  1. HttpOnly:

    • Purpose: Prevents JavaScript from accessing the cookie through client-side scripts, thus defending against Cross-Site Scripting (XSS) attacks.

    • How it works: If the HttpOnly flag is set, the cookie is not accessible via JavaScript, making it more secure.

  2. Secure:

    • Purpose: Ensures that cookies are transmitted only over HTTPS (secure connections), preventing them from being sent over unencrypted channels where they could be intercepted.

    • How it works: This flag ensures that the cookie can only be sent over a secure, encrypted connection, preventing exposure in clear text on insecure channels.

  3. SameSite (Since November 2017):

    • Purpose: Controls whether cookies are sent along with cross-site requests, which helps defend against Cross-Site Request Forgery (CSRF) attacks.

    • How it works: The SameSite flag can be set to:

      • Strict: The cookie is only sent in first-party contexts (i.e., same-site).

      • Lax: The cookie is sent with top-level navigations and may be sent with some cross-site requests (e.g., when following a link).

      • None: The cookie is sent with all requests, including cross-site requests, but must be Secure (HTTPS).

Use Cases for Cookie Security:

  • Session Management: Cookies like the TSxxxxxxxx are critical for maintaining secure sessions and preventing unauthorized access to user accounts.

  • Bot Defense: Cookies like TSPD_101 are used for proactive bot defense, allowing the system to distinguish between human users and automated bots by assigning and tracking unique session-related cookies.

  • Preventing Cookie Tampering: The Enforced Cookies setting ensures that critical cookies (such as those used for user sessions and security tokens) cannot be modified by the client side, reducing the risk of cookie tampering.

  • Cross-Site Request Forgery (CSRF) Protection: The SameSite attribute prevents cookies from being sent in cross-site requests, which helps to mitigate CSRF attacks.

  • Privacy and Security: By using the HttpOnly and Secure flags, F5 ASM/AWAF helps ensure that sensitive cookies are not exposed to client-side scripts or transmitted over insecure channels.

Best Practices for Cookie Management:

  1. Use HttpOnly and Secure flags for all sensitive cookies to mitigate XSS and cookie interception risks.

  2. Set the SameSite attribute to "Strict" or "Lax" to defend against CSRF attacks, especially for cookies used for authentication or session tracking.

  3. Enforce cookie integrity by marking cookies that are essential to security (like session or bot detection cookies) as Enforced Cookies to prevent unauthorized modification.

  4. Review Allowed Cookies carefully and limit the modification of cookies that influence critical application behavior to prevent abuse or compromise.

By managing cookies effectively, F5 ASM/AWAF can secure sessions, mitigate bot attacks, and defend against other web application security threats.

PreviousAnti-virus Protection through an ICAP Server in F5 ASM/AWAFNextSession Tracking and Session Awareness in F5 ASM/AWAF

Last updated 3 months ago