F5 BigIP Decode with Fiddler

Posted by on September 18, 2015

There are many tools out there that allow you to decode the F5 BigIP cookie used on some sites. I haven’t seen anything that just plugs into Fiddler if you use that for debugging purposes. One of the reasons you may want to decode the F5 cookie is just that, debugging. If you need to know what server, behind the load balancer, your request is going to to troubleshoot a bug, this is the cookie you need. I won’t go into a long discussion of the F5 Cookie, but you can read more about it I have a description here.

Most of the examples I have seen are using python to do the conversion. I looked for a javascript example, as that is what Fiddler supports in its Custom Rules but couldn’t really find anything. I got to messing around with it and put together a very rough set of functions to be able to decode the cookie value back to its IP address and Port. It sticks the result into a custom column in the Fiddler interface (scroll all the way to the right, the last column). If it identifies the cookie it will attempt to decode it and populate the column. This can be done for both response and request cookies.

To decode response cookies, you need to update the custom Fiddler rules by adding code to the static function OnBeforeResponse(oSession: Session) method. The following code can be inserted at the end of the function:

	var re = /\d+\.\d+\.0{4}/;    // Simple regex to identify the BigIP pattern.
        
        if (oSession.oResponse.headers)
        {
            for (var x:int = 0; x < oSession.oResponse.headers.Count(); x++)
            {
                if(oSession.oResponse.headers[x].Name.Contains("Set-Cookie")){
                    var cookie : Fiddler.HTTPHeaderItem = oSession.oResponse.headers[x];
                    var myArray = re.exec(cookie.Value);
                    if (myArray != null && myArray.length > 0)
                    {
                    
                        for (var i = 0; i < myArray.length; i++)
                        {
                            var index = myArray[i].indexOf(".");
                        
                            var val = myArray[i].substring(0,index);
                        
                            var hIP = parseInt(val).toString(16);
                            if (hIP.length < 8)
                            {
                                var pads = "0";
                                hIP = pads + hIP;
                            }
                            var hIP1 = parseInt(hIP.toString().substring(6,8),16);
                            var hIP2 = parseInt(hIP.toString().substring(4,6),16);
                            var hIP3 = parseInt(hIP.toString().substring(2,4),16);
                            var hIP4 = parseInt(hIP.toString().substring(0,2),16);
                            
                            var val2 = myArray[i].substring(index+1);
                            var index2 = val2.indexOf(".");
                            val2 = val2.substring(0,index2);
                            var hPort = parseInt(val2).toString(16);
                            if (hPort.length < 4)
                            {
                                var padh = "0";
                                hPort = padh + hPort;
                            }
                            var hPortS = hPort.toString().substring(2,4) + hPort.toString().substring(0,2);
                            var hPort1 = parseInt(hPortS,16);
        
                            oSession["ui-customcolumn"] += hIP1 + "." + hIP2 + "." + hIP3 + "." + hIP4 + ":" + hPort1 + "  ";
                       
                        }
                    }
                }
            }
        }

In order to decode the cookie from a request, you need to add the following code to the static function OnBeforeRequest(oSession: Session) method.

        var re = /\d+\.\d+\.0{4}/;      // Simple regex to identify the BigIP pattern.
        oSession["ui-customcolumn"] = "";
        
           
           
        if (oSession.oRequest.headers.Exists("Cookie"))
        {
            var cookie = oSession.oRequest["Cookie"];
            var myArray = re.exec(cookie);
            if (myArray != null && myArray.length > 0)
            {
            
                for (var i = 0; i < myArray.length; i++)
                {
                    var index = myArray[i].indexOf(".");
                
                    var val = myArray[i].substring(0,index);
                
                    var hIP = parseInt(val).toString(16);
                    if (hIP.length < 8)
                    {
                        var pads = "0";
                        hIP = pads + hIP;
                    }
                    var hIP1 = parseInt(hIP.toString().substring(6,8),16);
                    var hIP2 = parseInt(hIP.toString().substring(4,6),16);
                    var hIP3 = parseInt(hIP.toString().substring(2,4),16);
                    var hIP4 = parseInt(hIP.toString().substring(0,2),16);
                    
                    var val2 = myArray[i].substring(index+1);
                    var index2 = val2.indexOf(".");
                    val2 = val2.substring(0,index2);
                    var hPort = parseInt(val2).toString(16);
                    if (hPort.length < 4)
                    {
                        var padh = "0";
                        hPort = padh + hPort;
                    }
                    var hPortS = hPort.toString().substring(2,4) + hPort.toString().substring(0,2);
                    var hPort1 = parseInt(hPortS,16);

                    oSession["ui-customcolumn"] += hIP1 + "." + hIP2 + "." + hIP3 + "." + hIP4 + ":" + hPort1 + "  ";
               
                }
            }
        }

Again, this is a rough compilation of code to perform the tasks. I am well aware there are other ways to do this, but this did seem to work. USE AT YOUR OWN RISK. It is your responsibility to make sure any code you add or use is suitable for your needs. I am not liable for any issues from this code. From my testing, this worked to decode the cookie and didn't present any issues. This is not production code, but an example of how this task could be done.

Just add the code to the custom rules file and visit a site with a F5 cookie and it should decode the value.

Comments

Comments are closed.