Tuesday, December 6, 2011

Cookie decoder: F5 BIG-IP

I still remember with excitement the first time I found my first F5 BIG-IP load balancer persistent cookie, disclosing the network details of the internal hosts: IP address and TCP port. Although it was a few years ago during a pen-test, still today is very common to find them on lots of target environments. The BIG-IP cookie value (used by the F5 devices to balance the client web traffic load) is encoded using a public algorithm (since May 2007) designed by F5 ("SOL6917: Overview of BIG-IP persistence cookie encoding").

As it is clearly described in the "OWASP Session Management Cheat Sheet" I published this Summer (section "2.4. Session ID Content (or Value)"), it is not a very good practice to include any meaningful or sensitive data inside the session ID, or cookie in this case. At some point, someone will figure out how to decode it :-)... so, instead of encoding the data, it is better to use other kind of session ID values. F5 provides a solution to this issue based on encrypting these persistent cookies: "SOL7784: Overview of cookie encryption".

It is possible to decode the cookies manually reversing the F5 algorithm used to encode the data, but when you are dealing with multiple load balancers and/or internal servers, it is better to use a tool to help in decoding all the cookie values gathered. Although this is an old and well known issue, based on the Python script published by dusty on March 29, 2011, we decided to release a extended version of the script, called "BIG-IP_cookie_decoder.py" and available here (in ZIP format), that decodes both, the internal host IP address and TCP port. Usage example (as root - in fact not required ;-):

Enjoy it!