F5 BIG-IP Cookie Remote Information Disclosure
Example Cookie Format
Set-Cookie: BIGipServerEXAMPLE.COM-POOL=44332211.20480.0000; path=/; Httponly; Secure
At first glance, an internal IP is not visible, but can be extracted with a trivial encoding format.
Disclosing internal IP addresses can allow attackers to gain knowledge of the internal network and fine-tune future attacks. Such information is also useful as pretexts when performing social engineering attacks.
Exploiting F5 BIG-IP Cookie Disclosure
Metasploit has a module which can be used to quickly obtain the internal IP:
msf6 > use auxiliary/gather/f5_bigip_cookie_disclosure msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > set RHOST example.com msf6 auxiliary(gather/f5_bigip_cookie_disclosure) > run
This should show the following output:
[*] Running module against example.com [*] Starting request / [+] F5 BIG-IP load balancing cookie "BIGipServerEXAMPLE.COM-POOL = 44332211.20480.0000" found [+] Load balancing pool name "EXAMPLE.COM-POOL" found [+] Backend 10.0.0.12:80 found [*] Auxiliary module execution completed
Remediating F5 BIG-IP Cookie Remote Information Disclosure
F5 BIG-IP load balancers require these cookies to perform load balancing and cannot be removed. As a workaround, F5 BIG-IP products allow the cookies to be encrypted with a secret key. Encryption can be enabled from the management console by following the following steps.
The following F5 guidance is available to implement encrypted cookies: https://support.f5.com/csp/article/K6917