Reference: Cookie Enforcement¶
Cookie Violations¶
The WAF security policy verifies cookie compliance and cookie boundaries for all incoming requests. You can configure the policy to block requests, log an alarm, and learn for requests containing illegal cookie violations.
For more information about configuring cookie protection, see Manage Cookies.
See Reference: Violation Protection for information about template default settings.
Cookie not RFC-compliant¶
This violation occurs when HTTP cookies contain invalid components or do not meet a formal standards for an HTTP request. Cookies detected with this violation contain at least one of the following:
Quotation marks (” “) in the cookie name.
A space in the cookie name.
An equal sign (=) before or in the cookie name.
Note: A space between the cookie name and equal sign (=) is allowed.
A carriage return (hexadecimal value of 0xd) in the cookie name.
Violation details¶
Type: RFC Violation
Attack Type: HTTP parser attack
Severity: Informational
Risk: Cookies can be used to track client data and application logic. Improperly formatted cookies can cause a web site to crash.
Modified WAF cookie¶
A WAF policy that processes traffic may insert a WAF cookie into HTTP responses to client requests. This is done to validate domain (and qualifying subdomain) cookies that are sent from the web server. The WAF cookie is also used to detect session expiration.
If a request contains a modified WAF cookie, it is considered a traffic violation.
Violation Details¶
Type: Cookie Violation
Attack Type: Session hijacking
Severity: Critical
Risk: The illegal cookie prevents access to other user credentials. This violation does not have false positives. If detected, the request is considered an attack.
Modified domain cookie(s)¶
The WAF policy verifies that request cookies have not been modified, and that the request includes a WAF cookie during a session.
Violation Details¶
Type: Cookie Violation
Attack Type: Session hijacking
Severity: Error
Risk: The illegal cookie prevents access to other user credentials. This violation does not have false positives.
Cookie Properties¶
Expired timestamp¶
The WAF policy verifies that the timestamp of the HTTP cookies is not expired. An expired timestamp indicates that a client session has exceeded a normal request. Expired requests are blocked.
The session expiration is validated against the current time.
Violation Details¶
Type: Expired timestamp violation
Attack Type: Session hijacking
Severity: Warning
Risk: The illegal cookie prevents access to other user credentials or other site resources that are limited by a time usage. This violation protection provides session hijacking mitigation.
Illegal cookie length¶
The WAF policy verifies that the request does not include a cookie header that exceeds the policy’s specified length.
Violation Details¶
Type: Length violation
Attack Type: Buffer overflow
Severity: Warning
Risk: Illegal cookie header length can indicate forms of buffer overflow and denial of service attacks.
Cookie settings template defaults¶
Cookie Setting | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|
Cookie not RFC-compliant | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified WAF cookie | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified domain cookie(s) | Alarm | Disabled | Disabled | Disabled |
Expired timestamp | Disabled | Disabled | Disabled | Disabled |
Illegal cookie length | Alarm | Disabled | Disabled | Disabled |
Wildcard syntax¶
If you are adding cookies to your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of cookies, file types, URLs, or parameters so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |