Thursday, 13 November 2014

Decoding BIG-IP persistence cookie


Hey Guys, 

Many times we come across 'BIG-IP persistence cookie' during our testings and it looks something like this:


Ever wondered what it is? If Yes, this is for you !

So, what is this cookie?
In simple words, this cookie is generated when a remote host uses an BIG-IP load balancer

What does this cookie contain?

When the load-balancer is used, it encodes the IP address of the actual WEB-SERVER (which is being used) and stores it as the cookie value.

Now how to decode it?

Simple! you can use 'Whitehat Big IP Cookie Decoder'  to Decode the cookie value.

Behind the Scenes:

For example, if this is the cookie value: 1847044288.47873.0000 

It is generally in this format IP . PORT . 0000

Consider the 1st bit i.e. 1847044288 (decimal value)

1. Convert this DECIMAL value to HEX value using http://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html




We have 0x6E17A8C0.

2. Now, split the value into four bytes and reverse the order.

Split:         0x6E 0x17 0xA8 0xC0

    Reverse:    0xC0 0xA8  0x17 0x6E 

3. Now convert each HEX value to its equivalent DECIMAL value,


​​



After conversion we have ​192.168.23.110.

Same goes for the Port value also, 47873 converts to 443.

In the end we have 1847044288.47873.0000 =  ​192.168.23.110 . 443 . 0000 

Hope this helps, Thanks !