This past February, my fellow colleague James Jardine wrote an excellent blog post called “Decoding F5 Cookie” where he described in detail how F5 load balancers use a persistence cookie (called the BigIP cookie) and how to use a standalone script to decode the value exposing the IP and port of a back end resource.
For me it’s a personal point of interest when I find something that identifies underlying infrastructure. The “OWASP Cookies Database Project” is one resource dedicated to fingerprinting technologies explicitly based on exposed cookies (the BigIP cookie is listed in there too). I’ve had the BigIP cookie show up and after using the code from James’ blog post in a standalone script the next logical thought was “wow, this would be a cool extension to write into Burp.”
At first glance creating a Burp extension can look a bit daunting. I chose to write this extension in Jython and after some experimentation, a few cups of coffee and collaboration with James I’m going to share with you the code for a BigIP Cookie custom passive scanner and an overview of how it works.
We’ll begin with the install setup. First you need to get a Jython interpreter defined in Burp, I did this by going to the jython.org site and downloading the Jython 2.7beta1 “Traditional Installer”. Following their instructions I built the jython.jar file that I’d use in Burp.
After you Launch burp go to the Extender tab and Options sub-tab to specify the path for the Python Environment (your jython.jar file).
Next go to the Extender, Extensions sub-tab, click the Add button, this will bring up a new window where you’ll select Python as the Extension type and then input the path of the extension code.
Click the Next button in the lower right corner and burp will try to load the extension. If all goes well you won’t see any errors.
At this point the extension is loaded. Click the Close button and you’re ready to go. From here use browser of choice configured to use Burp Proxy and find a site that uses the BigIP Cookie. When burp does a passive scan, it will report it in the Scanner Advisory.
As you can see above, if the IP it decodes is an RFC1918 address, the finding is a medium risk. If its any other IP, it lists the finding as a low.
Now that we have it installed and working lets talk about the code. The file with comments and spaces is 152 lines long. It begins with the obligatory list of imports the extension we’ll need.
Next we define a function based on James’ blog post called “decode(cookie_value)”. This function takes the F5 BigIP cookie value, decodes it and returns a dictionary list identifying the decoded IP address, port, and setting the severity which is based on the address being RFC 1918 compliant.
With the decoding logic in place, the next section defines the BurpExtender class and helper functions. Note there’s one little bonus in here for those of use who get annoyed by having to manually turn off Burp’s proxy intercept. When this extension loads the line “callbacks.setProxyInterceptionEnabled(False)” it turns intercept off.
Following this, we define the behavior of our custom passive scan and create our scan issue when a BigIP Cookie is found:
The last part of the code defines our PassiveScanIssue class. This is where the Scan Advisory information comes from. It’s pretty much a template where we pass in the specific values that came from decoding the cookie value.
The overall design can easily be modified for scanning other cookie values and I hope your already thinking of other useful variations.
The encoded F5 BigIP issue can be further researched in the 2007 F5 Knowledge Base article http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html. It’s not hard to find examples in the wild; in the course of a half hour I was able to identify it on the websites for a major hosting provider, a major cable TV company and a university on the east coast.
You can download a copy of the Burp-F5Cookie-Extehsion.py file by clicking here
Thom Dosedel is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.