Cookies are the key mechanism through which your Application trusts the client and the whole session depends on it. Most of the web based attacks are focused on stealing your cookie and trying to reverse engineer it to get the actual logic for cookie generation. Once that is achieved your whole application infrastructure is compromised. NetScaler added a feature with release 9.3 through which you can encrypt and decrypt the application data flowing through NetScaler. One of the main use cases of this is to secure application cookies besides securing hidden/read-only form fields. The encryption feature is used to encrypt the outgoing data that will subsequently be decrypted on the way back. This ensures that any hacker doesn’t reverse engineer the cookie. When the client sends back the request, the request is validated by decrypting the cookie, at the NetScaler.
Let’s understand this process and how this is configured on NetScaler with an example:
- Starting with, setting the encryption method
We can use the following methods for encryption:
Now, we will set the encryption method to RC4 with below mentioned command. As these setting are system wide, the decryption method will also be set as RC4.
>set encryptionParams -method RC4
- Adding a rewrite action “action_ENCRYPT”
>add rewrite action action_ENCRYPT replace “HTTP.RES.SET_COOKIE.COOKIE(\”cke1\”).VALUE(0)” “HTTP.RES.SET_COOKIE.COOKIE(\”cke1\”).value(0).ENCRYPT” -bypassSafetyCheck YES
This rewrite action replaces the cke1 cookie value with the encrypted cookie value before the response containing application cookie is sent to the client
- Adding a rewrite policy “policy_ENCRYPT”
>add rewrite policy policy_ENCRYPT “HTTP.RES.SET_COOKIE.COOKIE(\”cke1\”).LENGTH.GT(0)” action_ENCRYPT
-This rewrite policy looks for the cookie value in the set cookie parameter in the response and if the length of cookie value is greater than zero then the policy results in TRUE and invokes the associated action i.e. action_ENCRYPT in this case.
- Traffic flow
As can be seen, the application generates cke1 cookie and sends it back to the NetScaler with app response. The NetScaler encrypts this cke1 cookie and sends the response back to the client with the encrypted cke1 cookie.
With this process, we ensure that the application cookie is encrypted and secured.
Now, we will see what happens when a request with encrypted cookie is intercepted by NetScaler. First, for that we will add a policy and action to decrypt the data as mentioned below.
- Adding a rewrite action “action_DECRYPT”
>add rewrite action action_DECRYPT replace “HTTP.REQ.COOKIE.VALUE(\”cke1\”)” “HTTP.REQ.COOKIE.VALUE(\”cke1\”).DECRYPT” -bypassSafetyCheck YES
-This rewrite action replaces the encrypted cke1 cookie value with the decrypted cookie value.
- Adding a rewrite policy “policy_DECRYPT”
>add rewrite policy policy_DECRYPT “HTTP.REQ.COOKIE.VALUE(\”cke1\”).LENGTH.GT(0)” action_DECRYPT
-This rewrite policy looks for the cookie value greater than zero in the response and returns true or false respectively evoking action_DECRYPT if true.
- Traffic flow
As can be seen with the diagram above, when the request with encrypted cke1 cookie is intercepted by NetScaler, “policy_DECRYPT” is invoked. This policy looks for the cke1 cookie value in the request with length greater than zero. When true, it evokes action “action_DECRYPT” which decrypts the data and forwards it back to the server.
This is how you can secure your application cookies throughout the flow of application requests and responses through NetScaler.