9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Decodes any unencrypted F5 BIG-IP cookies in the HTTP response. BIG-IP cookies contain information on backend systems such as internal IP addresses and port numbers. See here for more info: <https://support.f5.com/csp/article/K6917>
The URL path to request. The default path is “/”.
See the documentation for the slaxml library.
See the documentation for the http library.
See the documentation for the smbauth library.
nmap -p <port> --script http-bigip-cookie <target>
PORT STATE SERVICE
80/tcp open http
| http-bigip-cookie:
| BIGipServer<pool_name>:
| address:
| host: 10.1.1.100
| type: ipv4
|_ port: 8080
description = [[
Decodes any unencrypted F5 BIG-IP cookies in the HTTP response.
BIG-IP cookies contain information on backend systems such as
internal IP addresses and port numbers.
See here for more info: https://support.f5.com/csp/article/K6917
]]
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
---
-- @usage
-- nmap -p <port> --script http-bigip-cookie <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-bigip-cookie:
-- | BIGipServer<pool_name>:
-- | address:
-- | host: 10.1.1.100
-- | type: ipv4
-- |_ port: 8080
--
-- @xmloutput
-- <table key="BIGipServer<pool_name>">
-- <table key="address">
-- <elem key="host">10.1.1.100</elem>
-- <elem key="type">ipv4</elem>
-- </table>
-- <elem key="port">8080</elem>
-- </table>
--
-- @args http-bigip-cookie.path The URL path to request. The default path is "/".
author = "Seth Jackson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "discovery", "safe" }
portrule = shortport.http
action = function(host, port)
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
local response = http.get(host, port, path, { redirect_ok = false })
if not response then
return
end
if not response.cookies then
return
end
local output = stdnse.output_table()
for _, cookie in ipairs(response.cookies) do
if cookie.name:find("BIGipServer") then
local host, port = cookie.value:match("^(%d+)%.(%d+)%.")
if host and tonumber(host) < 0x100000000 and tonumber(port) < 0x10000 then
host = table.concat({("BBBB"):unpack(("<I4"):pack(host))}, ".", 1, 4)
port = (">I2"):unpack(("<I2"):pack(port))
local result = {
address = {
host = host,
type = "ipv4"
},
port = port
}
output[cookie.name] = result
end
end
end
if #output > 0 then
return output
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%