VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01

F5 Customer Demo
Using BIG-IP Application Security Manager

(ASM) for Web Vulnerabilities
Document version 12.0.0.01
Written for: TMOS Architecture v12.0.0
Virtual images:
BIGIP_A_v12.0.0
LAMP_4
Windows_7_External
NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
F5 Worldwide Field Enablement Last Updated: 2/5/2016

Learn More, Sell More, Sell Faster
2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 Preparing the BIG-IP Demo Environment

Required virtual images: BIGIP_A_v12.0.0, LAMP_4, Windows_7_External
Estimated completion time: 70 minutes
Task 1 Configure the Web Application

Provision ASM on the BIG-IP system, and then create a new web application for the DVWA web site.
In VMware, start up the BIGIP_A_v12.0.0, LAMP_4, and Windows_7_External images.

On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_A_v12.0.0.ucs no-license
y
NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.
If you do not have the BIGIP_A_v12.0.0 image or the clean_install_BIGIP_A_v12.0.0.ucs

archive file, complete the F5 vLab Setup.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Application Security (ASM) to Nominal
Create a monitor using the following information, and then click Finished.
Name dvwa_monitor
Type HTTP
Send String GET /login.php\r\n
Receive String RandomStorm
Create a pool using the following information, and then click Finished.
Name dvwa_pool
Health Monitor dvwa_monitor
Members Address Service Port
10.1.20.17 80
Create a new virtual server using the following information, and then click Finished.
Name dvwa_virtual
Destination Address 10.1.10.35:443
HTTP Profile http
SSL Profile (Client) f5demo_client_ssl
Source Address Translation Auto Map
Default Pool dvwa_pool
WWFE vLab Guides Demo: Using ASM for Web Vulnerabilities; v12.0.0.01 Page | 3
Task 2 Verify Web Site Vulnerabilities

Use a web browser to access the dvwa_virtual and attempt various well-known attacks against the web site to
determine its current security state.
Use Internet Explorer to access https://dvwa.vlab.f5demo.com.
NOTE: If you are unable to access this host name, complete Exercise 2, Task 8 in the vLab Setup
Guide.
Create a bookmark for the DVWA login page called DVWA.

Log into DVWA using the following credentials:
Username: admin
Password: password
Command Execution
On the navigation menu, click Command Execution.
Type 10.1.20.50 into the field and then click submit.
The purpose of this feature is to simply ping a hostname or IP address. This is not a malicious threat to
the web application.
Type 10.1.20.50; cat /etc/passwd into the field and then click submit.
You have exposed the contents of the passwd file on this web server. With the IP address and a
semi-colon preceding the cat command, you are able to retrieve confidential files on the web server.
The goal of command execution attacks is to be able to run arbitrary commands on the target host
operating system.
SQL Injection
On the navigation menu, click SQL Injection.
Type 1 into the field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is
the expected behavior of this feature.
In the User ID field copy and paste the following, and then click Submit:
%' or 1='1
You are presented with all of the users in the database.
%' or 1=1 union select null, database () #
The final record displays the database name (dvwa).
%' or 1=1 union select null, table_name from information_schema.tables #
Every record after Bob Smith displays a table named from this database server.
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a,
last_name, 0x0a, user, 0x0a, password) from users #
Every record after Bob Smith displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive data from the application database, modify database data, or even delete data or the entire
database.
Cross-Site Scripting
On the navigation menu, click XSS reflected.
In the field type your first name and click Submit:
This feature simply returns text that we type into the web page response.
Copy and paste the following in the field, and then click Submit.
Credit card number: 4111-1111-1111-1111.
Credit card numbers are being sent in cleartext in the HTTP response. This is known as data leakage.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
This information is now stored in the application database and will be presented to all users that
access this comments page. Using cross-site scripting, a hacker could add anything that JavaScript can
do into the field, which then gets inserted into the database.
<script>window.location="http://www.hackthissite.org"</script>
This script redirects the users to a completely different web site. Cross-site scripting is a powerful
exploit because a hacker can insert JavaScript code into the database. When legitimate users access a
web page that references the database record, their device is then susceptible to the malicious
content.
Forceful Browsing
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then run this application file.
These are examples of files that are not accessible through links, but are in fact present within the
web server directory. A forceful browsing attack aims to access resources that are not referenced by
the web application, but are still accessible.
Close the browser.
Task 3 Create a Security Policy using the Automatic Policy Builder

Create a security policy for dvwa_virtual using the automatic policy builder.
In the Configuration Utility, open the Security > Application Security > Security Policies > Active Policies
page, and then click Create.
Leave the Existing Virtual Server option selected and click Next.
On the Configure Local Traffic Settings page:
o In the protocol list, select HTTPS.
o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.
Leave the Create a policy automatically (recommended) option selected and click Next.
On the Configure Security Policy Properties page:
o For Security Policy Name enter dvwa_security_policy.
o From the Security Policy Language list, select Unicode (utf-8), and then click Next.
On the Configure Attack Signatures page:
o From the Available Systems list, move the following to the Assigned Systems list.
Operating Systems > Unix/Linux
Web Servers > Apache and Apache Tomcat
Languages, Frameworks and Applications > PHP
Database Servers > MySQL
o Leave Signature Staging enabled and click Next.
On the Configure Automatic Policy Building page:
o From the Policy Type list, select Comprehensive.
o Slide the Policy Builder learning speed control to Fast.
o From the Trusted IP Addresses list box, leave Address List selected.
o In the IP Address box, enter 10.1.10.0.
o In the Netmask box, enter 255.255.255.0, and then click Add.
Click Next, and then click Finish.

Open the Virtual Servers List page and click dvwa_virtual.
Open the Security > Policies page.
Application Security Policy is Enabled using dvwa_security_policy.

From the Log Profile list select Enabled.
Select Log all requests and click <<, and then click Update.
We will log all requests while were in development of the security policy. When the policy is ready to
move to production we would return the configuration to log only illegal requests.
Task 4 Create Trusted Learning Suggestions for Automatic Policy Building

Generate trusted learning suggestions using normal web user traffic for the automatic policy builder to use for
building the security policy.
Use a new Incognito window and click the DVWA bookmark.
Edit the URI to https://dvwa.vlab.f5demo.com and press Enter.

Click the Refresh button.
Log into the application, and then click the Refresh button.
On the navigation menu, click Instructions.
Click the Copying link, and then click the PHPIDS License link.
On the navigation menu, click DVWA Security.
Change the security level to medium, and then click Submit.
Change the security level to high, and then click Submit.
Change the security level back to low, and then click Submit.
On the navigation menu, click PHP Info, and then click the Back button.
On the navigation menu, click About.
Type your first name into the field, and then click Submit.
On the navigation menu, click SQL Injection (Blind).

Click Logout, and then close the DVWA page.
In the Configuration Utility, open the Security > Application Security > File Types > Allowed File Types
page.
Several file types have been added to the allowed list. When using the automatic policy building,
trusted suggestions are automatically added to the security policy.
Open the Security > Application Security > URLs > Allowed URLs page.
Every URL you visited has been added to the allowed list.
Open the Security > Application Security > Parameters > Parameters List page.
Several parameters have been added to the allowed list. For Parameter Value Type, most are set to
Ignore Value, and for Staging they are all still set to Yes. Some parameters are waiting for additional
traffic samples, some have learning suggestions available.
Task 5 Install iMacros for Firefox

Install iMacros for Firefox.
Open Mozilla Firefox, then click the Open menu button, and then click Add-ons.
In the search field type iMacros.

Install the most recent version of iMacros for Firefox.
Copy the asm_requests.iim and asm_hacker.iim files to the iMacros\Macros folder.
In Firefox click the iMacros button.
Task 6 Tighten the Security Policy

Modify the traffic learning and suggestions page by shortening the amount of time it takes to enforce learned
suggestions from trusted IP addresses, and then generate traffic using iMacros for Firefox.
In the Configuration Utility, open the Security > Application Security> Policy Building >
Learning and Blocking Settings page.
On the right-side of the page, view the Advanced settings.
Expand Tighten Policy (stabilize).

For Trusted Traffic, update all of the thresholds to the following, and then click Save.
Click Apply Policy and then OK.

In Firefox, from the iMacros pane select asm_requests.iim.
On the Play tab in the Max field type 5, and then click Play (Loop).
While the macro is running, in the Configuration Utility view the Allowed File Types page, the
Allowed URLs page, and the Parameters List page to view the changes that are taking place.
As the macro continues to run, file types, URLs, and parameters are removed from staging. In addition
the wildcard character for each entity type is removed.
After the macro has completed close Firefox.
In the Configuration Utility, click Apply Policy and then OK.
Use Firefox to open a new Private window.
Select the asm_requests.iim iMacro, in the Max field type 5, and then click Play (Loop).
NOTE: If you receive the blocking response page, close Firefox and then try the two steps
above once more.
Continue to monitor the Parameters List page.

IF the id, ip, and/or name parameters are still listed as Ignore Value and/or are still in staging:
o Apply the updated policy.
o Use a new private window in Firefox and play the macro 5 more times.
Once the id, ip, and name parameters are all listed as User-input value types and are not in staging,
move on to task 7.
Task 7 Tune the Security Policy

Further tune the security policy by adding additional signatures, enabling Data Guard, and adding a custom
response page.
In the Configuration Utility open the Security > Application Security> Policy Building >
Learning and Blocking Settings page.
From the Learning Mode list select Manual.
This stops the automatic policy builder.

Expand Attack Signatures, and then click Change.
Select the Command Execution Signatures, Cross Site Scripting Signatures, and SQL Injection Signatures
checkboxes, and then click Change.
Clear the Enable Signature Staging checkbox.
Expand Data Guard, then clear the Block checkbox, and then click Save
This ensures that credit card numbers and social security numbers will be masked, but the pages that
display these masked values will not be blocked by BIG-IP ASM.
Open the Security > Application Security > Data Guard page.
Select the Data Guard, Credit Card Numbers, and Mask Data checkboxes, and then click Save.
Open the Security > Application Security > Policy > Response Pages page.
From the Response Type list box, select Custom Response.
Edit the Response Body by copying and pasting the following, and then click Save.
<html><head><title>Illegal Request</title></head>
<body>For security purposes, Lorax Investments has blocked this <font
color=red>illegal request</font>.<br><br>
You can contact our technical support department and supply them with the
following support ID: <b><%TS.request.ID()%></b></body></html>
Task 8 Test the Updated Policy

Open the DVWA web site and make attempts that violate the policy, and then view the entries in the ASM
log file.
Use a new incognito window and click the DVWA bookmark, and then log into the application.
The valid request is allowed, while the command execution attempt was blocked by BIG-IP ASM.
Click on the Back button, and then click SQL Injection.
In the User ID field type the following and then click Submit:
%' or 1='1
The valid request is allowed, while the SQL Injection attempt is blocked by BIG-IP ASM.
Click on the Back button, and then click XSS reflected.
Type the following into the field and then click Submit:
Credit card: 4111-1111-1111-1111.
The credit card number is now masked by BIG-IP ASM.
Type your last name into the field, and then click Submit.
<script></script>
Click the Back button, and then type the following into the field and click Submit:
<iframe></iframe>
The valid request is allowed, while the cross-site scripting attempts are blocked by BIG-IP ASM.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Both of these forceful browsing attempts are blocked by BIG-IP ASM.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select the blocked vulnerabilities/exec/ entry.
This request was blocked for several reasons, including being recognized as a command execution
attack.
Close the window, and then select the blocked vulnerabilities/sqli/ entry.
This request was blocked because it was recognized as a SQL injection attack.
Close the window, and then select the illegal (not blocked) vulnerabilities/xss_r/ entry, and then click
Data Guard: Information leakage detected.
This request wasnt blocked; however ASM recognized the credit card number in the response and
masked to content, preventing data leakage.
Close the window, and then select the earliest blocked vulnerabilities/xss_r/ entry, and then click
Attack signature detected.
This request was blocked because it triggered the XSS script tag signature.
Close the window, and then select the latest blocked vulnerabilities/xss_r/ entry, and then click
This request was blocked because it triggered the iframe tag signature.
Close the window, and then select the blocked /private.txt entry.
This request was blocked for several reasons, including being an illegal file type and an illegal URL.
The attack type is buffer overflow and forceful browsing.
Task 9 Update the Security Policy

Identify URLs and parameters that are being blocked but should be available for users. View the security event
logs to determine why the blocking is taking place. Then update the security policy to enable users to access the
blocked URL and parameters.
In the DVWA web page click the DVWA bookmark, and then log into the application.
On the navigation menu, click Brute Force.
Click on the Back button, and then on the navigation menu, click Upload.
Both pages are blocked because the URLs wasnt added to the Allowed URLs list. However we need
users to be able to access the Brute Force page.
Close the blocked page.
In the Configuration Utility, on the Event Logs > Application > Requests page click Go.
Select the blocked vulnerabilities/brute/ entry.
This request was blocked because its an illegal URL. We need users to access this page; therefore
well add it to the Allowed URLs page.
For the Illegal URL violation, click the Learn button, and then close the View Full Request window.
This navigates to the Traffic Learning page. Notice the Action for this suggestion is to Add URL.
Click Accept Suggestion, and then click Accept Suggestion.
Open the Allowed URLs page, and then move to the second page of URLs.
The /vulnerabilities/brute/ URL was added to the security policy.
Users now have access to the Brute Force page
In the Username field type admin, and in the Password field type password, and then click Login.
Although we havent done anything malicious, the request was blocked.
Click on the Back button, and then on the navigation menu, click CSRF.
The user is blocked from accessing the CSRF page. This is the expected behavior of the security policy,
as we do not want users accessing this page.
In the Configuration Utility, open the Event Logs > Application > Requests page.
Select the blocked /vulnerabilities/brute/ entry, and then click Illegal parameter.
This request was blocked because there are three parameters on the page that are not included in
the security policy.
For the Illegal parameter violation, click the Learn button, and then close the View Full Request window.
There are three Illegal parameter suggestions. All three need to be included in the security policy.
Select the checkboxes for all three suggestions.
Notice the Action for all three suggestions is to Add Parameter.
Click Accept Suggestions, and then click Accept Suggestions.
Users now have access to the Brute Force page
In the Username field type admin, and in the Password field type password, and then click Login.
The request, along with the three parameters, is now allowed.
Close the DVWA page.
Task 10 Create Several Visits to the Application from a Hacker

Use Mozilla Firefox to record and then play back several attempts to hack the DVWA web application.
Use a new private window in Firefox and access and log into http://dvwa.vlab.f5demo.com,
In the iMacros pane select asm_hacker.iim.
On the Play tab in the Max field type 25, and then click Play (Loop).
This macro submits several malicious requests to the DVWA web application, including command
execution, forceful browsing, SQL injection, and cross-site scripting.
After the iMacro has finished running, close Firefox.
Task 11 View the Security Reports

View the built-in BIG-IP ASM security reports.
In the Configuration Utility, open the Security > Reporting > Application > Charts page.
NOTE: It will take several minutes for all of the transaction data to load.
In the Details section, click /Common/dvwa_security_policy, then click <Unassigned>, and then
click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server.
In the Details section, clear the Overall checkbox.
Change the Chart type to Stacked, and the Time Period to Last Hour.
In the Details section, click Blocked.
These are the attack types that were blocked by ASM while you ran the macro.
From the Time Period list select Custom.
Use the Custom Time Period options to select the past 15 minutes only, and then click Update.
Click Collapse Advanced Filters.
Navigate back to Security Policy.
From the Advanced Filter list box, select Top attacks in last hour.
From the Advanced Filter list box, select Top blocked URLs.
This displays the URLs that ASM protected and how many times malicious attacks were blocked.
From the Advanced Filter list box, select Top violations in last hour.
Task 12 Edit the Virtual Server and Create an Archive File

Open the Virtual Servers List page and, click dvwa_virtual, and then open the Security > Policies page.
In the Application Security Policy list box, select Disabled, and then click Update.
Create an archive file named demo_asm_web_vulnerabilities_v12.0.0.
Part 2 Delivering the BIG-IP Demo to a Customer

Required virtual images: BIGIP_A_v12.0.0, LAMP_4, Windows_7_External
Required archive file: demo_asm_web_vulnerabilities_v12.0.0.ucs
Estimated completion time: 45 minutes
Task 1 Prepare for the Demo

Restore the archive file you created in Part 1.
In VMware, start up the BIGIP_A_v12.0.0, LAMP_4, and Windows_7_External images.

On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
At the CLI type:
tmsh
load sys ucs demo_asm_web_vulnerabilities_v12.0.0.ucs no-license
y
NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Task 2 Verify Web Site Vulnerabilities

Use a web browser to access the dvwa_virtual and attempt various well-known attacks against the web site to
determine its current security state.
Command Execution
Users type a hostname or IP address in this field and submit it. The hostname or IP address is sent to
the web server. The web server then pings the hostname or IP address and displays the results.
With the IP address and a semi-colon preceding the cat command, you have exposed the contents of
the passwd file on this web server. This is not the intended use of this field, and it is a target for
hackers to exploit. The goal of command execution attacks is to be able to run arbitrary commands on
the target host operating system.
SQL Injection
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is
the expected behavior of this feature.
%' or 1='1
You are presented with all of the users in the database.
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a,
last_name, 0x0a, user, 0x0a, password) from users #
Every record after Bob Smith displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive data from the application database, modify database data, or even delete data or the entire
database.
Cross-Site Scripting
In the field type the customers first name and click Submit:
This feature simply returns text that we type into the web page response..
Credit card numbers are being sent in cleartext in the HTTP response. This is known as data leakage.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
This information is now stored in the application database and will be presented to all users that
access this comments page. Using cross-site scripting, a hacker could add anything that JavaScript can
do into the field, which then gets inserted into the database.
<script>window.location="http://www.hackthissite.org"</script>
This script redirects the users to a completely different web site. Cross-site scripting is a powerful
exploit because a hacker can insert JavaScript code into the database. When legitimate users access a
web page that references the database record, their device is then susceptible to the malicious
content.
Forceful Browsing
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then cancel the download.
These are examples of files that are not accessible through links, but are in fact present within the
web server directory. A forceful browsing attack aims to access resources that are not referenced by
the web application, but are still accessible.
Click Logout, and then close the browser.
Task 3 Add a Security Policy to the Virtual Server

We have already created a security policy based on normal, expected user traffic for the DVWA web site. We
will now attach that security policy to the virtual server.
In the Configuration Utility, open the Virtual Servers List page and click dvwa_virtual.
This virtual server was created prior to this demonstration. We used this virtual server to access the
DVWA web application.
Open the Security > Policies page.
From the Application Security Policy list box, select Enabled, and then click Update.
By default, BIG-IP ASM will use dvwa_security_policy as its the only configured security policy on this
BIG-IP system. I created this security policy earlier from normal, expected user traffic.
Open the Security > Application Security > Security Policies > Active Policies page.
The dvwa_security_policy is in the Blocking enforcement mode.
Click dvwa_security_policy, then open the Tree View page, then expand /vulnerabilities/brute.
The Tree View page displays all of the allowed URLs and parameters for this web application.
Open the Security > Application Security > Policy > Response Pages page.
This page enables us to create a custom blocking response page for malicious users.
In the Response Body, edit the text Lorax Investments with the customers name, and then click Save.
Click Apply Security Policy and then OK.
When updating a security policy with BIG-IP ASM, you must always click Apply Policy to see the
changes in the application.
Task 4 Re-Attempt to Hack the DVWA Web Site

We will re-access the DVWA web site and try all of the same malicious attacks that we illustrated a few
moments ago.
The valid request is allowed, while the command execution attempt was blocked by BIG-IP ASM.
Click on the Back button, and then click SQL Injection.
In the User ID field type the following and then click Submit:
%' or 1='1
The valid request is allowed, while the SQL Injection attempt is blocked by BIG-IP ASM.
Click on the Back button, and then click XSS reflected.
Copy and paste the following into the field and then click Submit:
Credit card: 4111-1111-1111-1111.
The credit card number is now masked by BIG-IP ASM. This prevents data leakage of sensitive user
data.
Type the customers last name into the field, and then click Submit.
<script></script>
Click the Back button, and then type the following into the field and click Submit:
<iframe></iframe>
The valid request is allowed, while the cross-site scripting attempts are blocked by BIG-IP ASM.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Both of these forceful browsing attempts are blocked by BIG-IP ASM.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select the blocked vulnerabilities/exec/ entry.
This request was blocked for several reasons, including being recognized as a command execution
attack.
Close the window, and then select the blocked vulnerabilities/sqli/ entry.
This request was blocked because it was recognized as a SQL injection attack.
Close the window, and then select the illegal (not blocked) vulnerabilities/xss_r/ entry, and then click
Data Guard: Information leakage detected.
This request wasnt blocked; however ASM recognized the credit card number in the response and
masked to content, preventing data leakage.
Close the window, and then select the earliest blocked vulnerabilities/xss_r/ entry, and then click
This request was blocked because it triggered the XSS script tag signature.
Close the window, and then select the latest blocked vulnerabilities/xss_r/ entry, and then click
This request was blocked because it triggered the iframe tag signature.
Close the window, and then select the blocked /private.txt entry.
This request was blocked for several reasons, including being an illegal file type and an illegal URL.
The attack type is buffer overflow and forceful browsing.
Task 5 Update the Security Policy

Identify URLs and parameters that are being blocked but should be available for users. View the security event
logs to determine why the blocking is taking place. Then update the security policy to enable users to access the
blocked URL and parameters.
In the DVWA web page click the DVWA bookmark, and then log into the application.
On the navigation menu click CSRF.
The user is blocked from this page, however we need users to be able to access this page.
Click the Back button, and then click SQL Injection (Blind).
The user has access to this page but was blocked from submitting data using the field. We need users
to be able to submit information using this form field.
In the Configuration Utility, on the Event Logs > Application > Requests page click Go.
Select the blocked vulnerabilities/csrf/ entry.
This request was blocked because its an illegal URL. We need users to access this page; therefore
well add it to the Allowed URLs page.
For the Illegal URL violation, click the Learn button, and then close the View Full Request window.
This navigates to the Traffic Learning page. Notice the Action for this suggestion is to Add URL.
Click Accept Suggestion, and then click Accept Suggestion.
Open the Allowed URLs page, and then move to the second page of URLs.
The /vulnerabilities/csrf/ URL was added to the security policy.
Open the Event Logs > Application > Requests page.
Select the blocked vulnerabilities/sqli_blind/ entry, and then click Illegal parameter.
This request was blocked because there are two parameters on the page that are not included in the
security policy.
For the Illegal parameter violation, click the Learn button, and then close the View Full Request window.
There are two Illegal parameter suggestions. Both need to be included in the security policy.
Select the checkboxes for both suggestions.
Notice the Action for both suggestions is to Add Parameter.
Click Accept Suggestions, and then click Accept Suggestions.
On the navigation menu, click CSRF.
Users now have access to the CSRF page.
Click SQL Injection (Blind).
Users can now interact with the web application using this form field.
Close the DVWA page.
Task 6 Create Several Visits to the Application from a Hacker

Use Mozilla Firefox to record and then play back several attempts to hack the DVWA web application.
Use a new private window in Firefox and access and log into http://dvwa.vlab.f5demo.com,
If its not already displayed, enable the iMacros pane.
In the iMacros bar select asm_hacker.iim, and in the Max box, type 25, and then click Play (Loop).
This macro is making several illegal requests to the web application. You can see that they are all
receiving a blocking response page.
After the iMacro has finished running, close Firefox.
Task 7 View the PCI Compliance Report

Use the PCI Compliance report to determine where the web application is missing required security for
compliancy.
Open the Security > Reporting > Application > PCI Compliance page.
The PCI Compliance report identifies security measures required to comply with PCI-DSS 3.0.
It indicates which measures are met, which are not met, which are not relevant.
Click Assign a unique ID to each person with computer access.
In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system
administrators.
Click Do not use vendor-supplied defaults for system passwords and other security parameters.
In order to meet PCI compliance, we cannot use the default passwords for the built-in admin and root
usernames.
To fix this compliance issue, in the Default Users section, click on the root username.
o Update the root password to dvwa
o Update the admin password to dvwa, then click Update, and then click OK.
Log back into the BIG-IP system using the new password.
Open the System > Users > User List page, and then click Create.
Create a new user account using the following information, and then click Finished.
User Name your first name
Password your last name (all lowercase)
Role Role: Administrator
Partition Partition: All
(Click Add)
Terminal Access Advanced shell
Open the Security > Reporting > Application > PCI Compliance page.
We have now met all of the security measures required for PCI compliance.
Click Printable Version, and then open the PDF.
Scroll down to the Known vulnerabilities protection section.
Customers can keep this PDF in their records to verify that theyve met their PCI compliance
requirements.
Task 8 View the Security Logs and Security Reports

View the built-in BIG-IP ASM security reports.
In the Configuration Utility, open the Security > Reporting > Application > Charts page.
In the Details section, click /Common/dvwa_security_policy, then click <Unassigned>, and then
click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server.
In the Details section, clear the Overall checkbox.
Change the Chart type to Stacked, and the Time Period to Last Hour.
In the Details section, click Blocked.
These are the attack types that were blocked by ASM while you ran the macro.
From the Time Period list select Custom.
Use the Custom Time Period options to select the past 15 minutes only, and then click Update.
Click Collapse Advanced Filters.
Navigate back to Security Policy.
From the Advanced Filter list box, select Top attacks in last hour.
From the Advanced Filter list box, select Top blocked URLs.
This displays the URLs that ASM protected and how many times malicious attacks were blocked.
From the Advanced Filter list box, select Top violations in last hour.
That concludes this demonstration on using BIG-IP ASM to block common web vulnerabilities.

VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01

Transféré par

Droits d'auteur :

Formats disponibles

F5 Customer Demo

Using BIG-IP Application Security Manager

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

F5 Worldwide Field Enablement Last Updated: 2/5/2016

Part 1 Preparing the BIG-IP Demo Environment

Task 1 Configure the Web Application

In VMware, start up the BIGIP_A_v12.0.0, LAMP_4, and Windows_7_External images.

If you do not have the BIGIP_A_v12.0.0 image or the clean_install_BIGIP_A_v12.0.0.ucs

Task 2 Verify Web Site Vulnerabilities

Use Internet Explorer to access https://dvwa.vlab.f5demo.com.

Create a bookmark for the DVWA login page called DVWA.

Task 3 Create a Security Policy using the Automatic Policy Builder

Click Next, and then click Finish.

Application Security Policy is Enabled using dvwa_security_policy.

Task 4 Create Trusted Learning Suggestions for Automatic Policy Building

Use a new Incognito window and click the DVWA bookmark.

Edit the URI to https://dvwa.vlab.f5demo.com and press Enter.

On the navigation menu, click SQL Injection (Blind).

Task 5 Install iMacros for Firefox

In the search field type iMacros.

Task 6 Tighten the Security Policy

Expand Tighten Policy (stabilize).

Click Apply Policy and then OK.

Continue to monitor the Parameters List page.

Task 7 Tune the Security Policy

This stops the automatic policy builder.

Click Apply Policy and then OK.

Task 8 Test the Updated Policy

Task 9 Update the Security Policy

Task 10 Create Several Visits to the Application from a Hacker

Task 11 View the Security Reports

Task 12 Edit the Virtual Server and Create an Archive File

Part 2 Delivering the BIG-IP Demo to a Customer

Task 1 Prepare for the Demo

In VMware, start up the BIGIP_A_v12.0.0, LAMP_4, and Windows_7_External images.

Task 2 Verify Web Site Vulnerabilities

Task 3 Add a Security Policy to the Virtual Server

Task 4 Re-Attempt to Hack the DVWA Web Site

Task 5 Update the Security Policy

Task 6 Create Several Visits to the Application from a Hacker

Task 7 View the PCI Compliance Report

Task 8 View the Security Logs and Security Reports

Vous aimerez peut-être aussi