DOCSLIB.ORG

F5 Networks ASM Advanced Mitigation Techniques

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
F5 Networks ASM Advanced Mitigation Techniques F5 Networks ASM Advanced Mitigation Techniques Lab Guide Participant Hands-on Lab Guide Last Updated: 04.2017 ©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You may not share these training materials and documentation with any third party without the express written permission of F5. pg. 2 Table of Contents Lab Environment and Setup ................................................................................................................................... 3 Lab 1 – Bot Signatures and Proactive Bot Defense ................................................................................................ 4 Exercise 1 – Bot Signatures..................................................................................................................................... 4 Step 1 – Configure DoS Profile ............................................................................................................................................ 4 Step 2 – Launch and Observe Simple Bot Attacks ............................................................................................................... 5 Exercise 2 – Custom Bot Signatures ....................................................................................................................... 6 Step 1 – Unknown “Bot” Attack .......................................................................................................................................... 6 Step 2 – Custom Bot Signature ........................................................................................................................................... 6 Step 3 – Run the Unknown “Bot” Attack Again .................................................................................................................. 7 Exercise 3 – Proactive Bot Defense ........................................................................................................................ 8 Step 1 – Enable Proactive Bot Defense ............................................................................................................................... 8 Step 2 – Launch and Observe Attack .................................................................................................................................. 9 Exercise 4 – Blocking and Validating Suspicious Browsers ................................................................................... 10 Step 1 – Edit DoS Profile ................................................................................................................................................... 10 Step 2 – Launch and observe attack. ................................................................................................................................ 11 Exercise 5 – Blocking Credential Stuffing with Proactive Bot Defense ................................................................ 13 Step 1 – Review Sentry MBA Config .................................................................................................................................. 13 Step 2 – Launch a Cred Stuffing attack ............................................................................................................................. 16 Step 3 – Block SentryMBA with Proactive Bot Defense .................................................................................................... 19 Lab 2 – Evasion Techniques .................................................................................................................................. 21 Exercise 1: Setup and Determining Vulnerability ................................................................................................. 21 Step 1 - Burp Suite Proxy ................................................................................................................................................... 21 Step 2 - Create Policy ......................................................................................................................................................... 21 Step 3 - Determining Cross Site Script (XSS) Vulnerability ................................................................................................. 22 Exercise 2: Testing ASM with Evasion Techniques ............................................................................................... 25 Step 1 – Testing the XSS through ASM .............................................................................................................................. 25 Step 2 – Obfuscation – URL Encoding ................................................................................................................................ 26 Step 3 – Obfuscation – String Manipulation ...................................................................................................................... 30 Lab 3 - Cross Site Request Forgery Protection ..................................................................................................... 34 Exercise 1 – Review CSRF Attack Page ................................................................................................................. 34 Step 1 – Login ................................................................................................................................................................... 34 Step 2 – Configure CSRF Protection .................................................................................................................................. 36 pg. 1 Step 3 – Inspect CSRF Protection ...................................................................................................................................... 37 Lab 4 - Protecting JSON applications with ASM ................................................................................................... 40 Exercise 1 – Review JSON App .............................................................................................................................. 40 Step 1 – Review JSON POST in Burp Suite ......................................................................................................................... 40 Exercise 2 – Manipulate JSON Request data ........................................................................................................ 42 Step 1 – Change credentials ............................................................................................................................................. 42 Step 2 – SQL Injection ....................................................................................................................................................... 44 Exercise 3 – Blocking malicious JSON with ASM................................................................................................... 45 Step 1 – Create and Apply an ASM policy ......................................................................................................................... 45 Step 2 – Re-try SQL Injection ............................................................................................................................................. 46 Exercise 4 – ASM Content Profiles ....................................................................................................................... 48 Step 1 – Review JSON Content Profile ............................................................................................................................... 48 Step 2 – Enforce signatures and re-try SQLi Attack .......................................................................................................... 49 Exercise 5 – JSON Format Validation .................................................................................................................... 51 Step 1 – Attempt a XSS Attack .......................................................................................................................................... 51 Lab 5 - Websocket Protection .............................................................................................................................. 52 Exercise 1 – Review TaxiApp and F5 Config ......................................................................................................... 52 Step 1 – Associate WebSocket Profile ............................................................................................................................... 52 Step 2 – Review TaxiApp ................................................................................................................................................... 53 Step 3 – Attack TaxiApp .................................................................................................................................................... 54 Exercise 2 – WebSocket Protection ...................................................................................................................... 55 Step 1 – Create ASM WebSocket Policy ............................................................................................................................ 55 Lab 6 – ASM
Load more

Recommended publications
  • Differential Fuzzing the Webassembly
    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
    [Show full text]
  • Machine Learning in the Browser
    Machine Learning in the Browser The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:38811507 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Machine Learning in the Browser a thesis presented by Tomas Reimers to The Department of Computer Science in partial fulfillment of the requirements for the degree of Bachelor of Arts in the subject of Computer Science Harvard University Cambridge, Massachusetts March 2017 Contents 1 Introduction 3 1.1 Background . .3 1.2 Motivation . .4 1.2.1 Privacy . .4 1.2.2 Unavailable Server . .4 1.2.3 Simple, Self-Contained Demos . .5 1.3 Challenges . .5 1.3.1 Performance . .5 1.3.2 Poor Generality . .7 1.3.3 Manual Implementation in JavaScript . .7 2 The TensorFlow Architecture 7 2.1 TensorFlow's API . .7 2.2 TensorFlow's Implementation . .9 2.3 Portability . .9 3 Compiling TensorFlow into JavaScript 10 3.1 Motivation to Compile . 10 3.2 Background on Emscripten . 10 3.2.1 Build Process . 12 3.2.2 Dependencies . 12 3.2.3 Bitness Assumptions . 13 3.2.4 Concurrency Model . 13 3.3 Experiences . 14 4 Results 15 4.1 Benchmarks . 15 4.2 Library Size . 16 4.3 WebAssembly . 17 5 Developer Experience 17 5.1 Universal Graph Runner .
    [Show full text]
  • Mitigating Javascript's Overhead with Webassembly
    Samuli Ylenius Mitigating JavaScript’s overhead with WebAssembly Faculty of Information Technology and Communication Sciences M. Sc. thesis March 2020 ABSTRACT Samuli Ylenius: Mitigating JavaScript’s overhead with WebAssembly M. Sc. thesis Tampere University Master’s Degree Programme in Software Development March 2020 The web and web development have evolved considerably during its short history. As a result, complex applications aren’t limited to desktop applications anymore, but many of them have found themselves in the web. While JavaScript can meet the requirements of most web applications, its performance has been deemed to be inconsistent in applications that require top performance. There have been multiple attempts to bring native speed to the web, and the most recent promising one has been the open standard, WebAssembly. In this thesis, the target was to examine WebAssembly, its design, features, background, relationship with JavaScript, and evaluate the current status of Web- Assembly, and its future. Furthermore, to evaluate the overhead differences between JavaScript and WebAssembly, a Game of Life sample application was implemented in three splits, fully in JavaScript, mix of JavaScript and WebAssembly, and fully in WebAssembly. This allowed to not only compare the performance differences between JavaScript and WebAssembly but also evaluate the performance differences between different implementation splits. Based on the results, WebAssembly came ahead of JavaScript especially in terms of pure execution times, although, similar benefits were gained from asm.js, a predecessor to WebAssembly. However, WebAssembly outperformed asm.js in size and load times. In addition, there was minimal additional benefit from doing a WebAssembly-only implementation, as just porting bottleneck functions from JavaScript to WebAssembly had similar performance benefits.
    [Show full text]
  • Giant List of Web Browsers
    Giant List of Web Browsers The majority of the world uses a default or big tech browsers but there are many alternatives out there which may be a better choice. Take a look through our list & see if there is something you like the look of. All links open in new windows. Caveat emptor old friend & happy surfing. 1. 32bit https://www.electrasoft.com/32bw.htm 2. 360 Security https://browser.360.cn/se/en.html 3. Avant http://www.avantbrowser.com 4. Avast/SafeZone https://www.avast.com/en-us/secure-browser 5. Basilisk https://www.basilisk-browser.org 6. Bento https://bentobrowser.com 7. Bitty http://www.bitty.com 8. Blisk https://blisk.io 9. Brave https://brave.com 10. BriskBard https://www.briskbard.com 11. Chrome https://www.google.com/chrome 12. Chromium https://www.chromium.org/Home 13. Citrio http://citrio.com 14. Cliqz https://cliqz.com 15. C?c C?c https://coccoc.com 16. Comodo IceDragon https://www.comodo.com/home/browsers-toolbars/icedragon-browser.php 17. Comodo Dragon https://www.comodo.com/home/browsers-toolbars/browser.php 18. Coowon http://coowon.com 19. Crusta https://sourceforge.net/projects/crustabrowser 20. Dillo https://www.dillo.org 21. Dolphin http://dolphin.com 22. Dooble https://textbrowser.github.io/dooble 23. Edge https://www.microsoft.com/en-us/windows/microsoft-edge 24. ELinks http://elinks.or.cz 25. Epic https://www.epicbrowser.com 26. Epiphany https://projects-old.gnome.org/epiphany 27. Falkon https://www.falkon.org 28. Firefox https://www.mozilla.org/en-US/firefox/new 29.
    [Show full text]
  • USER GUIDE Wwpass Security for Email (Thunderbird) for Wwpass Security Pack 2.6
    USER GUIDE WWPass Security for Email (Thunderbird) For WWPass Security Pack 2.6 May 2014 TABLE OF CONTENTS Chapter 1 — Welcome .................................................................................................................................. 3 Introducing WWPass Security for Email (Thunderbird) ............................................................................ 4 Presenting Your PassKey to Your Computer ........................................................................................ 5 Related Documentation ............................................................................................................................. 6 Need Assistance? ..................................................................................................................................... 7 Report a Problem from Dashboard ....................................................................................................... 7 Chapter 2 — Requirements .......................................................................................................................... 8 Requirements for WWPass Security for Email (Thunderbird) .................................................................. 8 Supported Platforms and Browsers .......................................................................................................... 9 Chapter 3 — Setup ..................................................................................................................................... 10 Smart Start for Setup .............................................................................................................................
    [Show full text]
  • Mozilla Development Roadmap
    mozilla development roadmap Brendan Eich, David Hyatt table of contents • introduction • milestone schedule • about ownership... • a new • current release • what all this does not roadmap status mean • discussion • how you can help • application architecture • summary • project • to-do list rationale management introduction Welcome to the Mozilla development roadmap. This is the third major roadmap revision, with a notable recent change to the status of the integrated Mozilla application suite, since the original roadmap that set Mozilla on a new course for standards compliance, modularity, and portability in 1998. The previous roadmap documented milestones and rules of development through Mozilla 1.3, and contains links to older roadmaps. Most of this document reflects the new application architecture proposal made last year. The effort resulting from that proposal has finally borne fruit, or to mix metaphors, hatched new application creatures: Firefox and Thunderbird. The new, significant roadmap update hoped for early in 2004 has been postponed. See Brendan's roadmap blog for thoughts that may feed into it. An interim roadmap update focused on the "aviary 1.0" 1 From www.mozilla.org/roadmap.html 4 August 2004 releases of Firefox 1.0 and Thunderbird 1.0, and the 1.8 milestone that will follow, is coming soon. We have come a long way. We have achieved a Mozilla 1.0 milestone that satisfies the criteria put forth in the Mozilla 1.0 manifesto, giving the community and the wider world a high-quality release, and a stable branch for conservative development and derivative product releases. See the Mozilla Hall of Fame for a list of Mozilla-based projects and products that benefited from 1.0.
    [Show full text]
  • Mechanizing Webassembly Proposals
    University of Wisconsin Milwaukee UWM Digital Commons Theses and Dissertations August 2020 Mechanizing Webassembly Proposals Jacob Richard Mischka University of Wisconsin-Milwaukee Follow this and additional works at: https://dc.uwm.edu/etd Part of the Computer Sciences Commons Recommended Citation Mischka, Jacob Richard, "Mechanizing Webassembly Proposals" (2020). Theses and Dissertations. 2565. https://dc.uwm.edu/etd/2565 This Thesis is brought to you for free and open access by UWM Digital Commons. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of UWM Digital Commons. For more information, please contact [email protected]. MECHANIZING WEBASSEMBLY PROPOSALS by Jacob Mischka A Dissertation Submitted in Partial Fulfillment of the Requirements for the degree of Master of Science in Computer Science at The University of Wisconsin-Milwaukee August 2020 ABSTRACT MECHANIZING WEBASSEMBLY PROPOSALS by Jacob Mischka The University of Wisconsin-Milwaukee, 2020 Under the Supervision of Professor John Boyland WebAssembly is a modern low-level programming language designed to provide high performance and security. To enable these goals, the language specifies a relatively small number of low-level types, instructions, and lan- guage constructs. The language is proven to be sound with respect to its types and execution, and a separate mechanized formalization of the specifi- cation and type soundness proofs confirms this. As an emerging technology, the language is continuously being developed, with modifications being pro- posed and discussed in the open and on a frequent basis. ii In order to ensure the soundness properties exhibited by the original core language are maintained as WebAssembly evolves, these proposals should too be mechanized and verified to be sound.
    [Show full text]
  • Firefox OS Features Guide
    Firefox OS ReFeviatureweres’s Guide [email protected] [email protected] Contents About Mozilla 1 About Firefox OS 2 Getting Started with Firefox OS 3 Web Apps and Adaptive App Search 17 Privacy and Security 20 The Web is the Platform 21 About Mozilla organization, Mozilla has been a pioneer and advocate for the Web for more than 15 years and is focused on creating open standards that enable innovation and advance the Web as a platform for all. We are committed to delivering choice and control in products that people love and can take across multiple platforms and devices. For more information, visit blog.mozilla.org/press 1 About Firefox OS performance, personalization and price you want in a smartphone packaged in a beautiful, clean, intuitive, and easy-to-use experience. Firefox OS introduces a brand new concept for smartphones. Adaptive app search literally transforms the phone to meet your needs at any moment, without the need to download anything. Search for your favorite music artist and get app results to buy songs, listen instantly, buy concert tickets and more. Adaptive app search makes it possible for you to access one-time use or downloadable apps and gives you a completely customized experience with the exact content you want, when you want it. Firefox OS also includes all the things people expect from a smartphone — calls, messaging, email, camera — and those that they want, such as built-in social integration with Facebook and Twitter, location-based the Firefox Web browser, the Firefox Marketplace and much more. Our vision is to create a more powerful, open Web, so as more browsers adopt the open Web technologies that power Firefox, Firefox OS and Firefox for Android, you will be able to take the apps you purchase with you across other platforms and devices.
    [Show full text]
  • 3. Wählen Sie Im Mozilla-Browser Den Menüpunkt "Edit" ("Bearbeiten"), Darunter "Preferences..." ("Einstellungen...")
    3. Wählen Sie im Mozilla-Browser den Menüpunkt "Edit" ("Bearbeiten"), darunter "Preferences..." ("Einstellungen..."). Dort öffnen Sie im der Kategorie "Appearance" ("Erscheinungsbild") das Einstellungen-Panel "Languages/Content" ("Sprachen/Inhalt"). 4. Dort wählen Sie die Sprache "Deutsch" aus der oberen Liste, möglichst auch "Inhalte: Österreich" aus der unteren Liste (um z.B. bei "Hilfe" > "Release Notes" auf deren deutsche Version auf mozilla.kairo.at geschickt zu werden). 5. Klicken Sie OK, beenden Sie Mozilla und starten Sie das Programm neu (dazu muss unter Windows auch der eventuell aktivierte Schnellstart beendet werden!). Tun Sie dies, so wird die Oberfläche in deutscher Sprache angezeigt. 6. Wenn Sie schon bisher eine deutsche Version verwendet haben, kann es vorkommen, dass nur Teile übersetzt erscheinen. In diesem Fall stellen Sie mit Hilfe der Punkte 3-5 nochmals auf Englisch zurück und dann wieder auf Deutsch. Dann sollte das Problem behoben sein. Seamonkey.doc Page 41 of 41 Installationsanleitung: Language Packs im XPI-Format ab Mozilla 1.7 Warnung: Seit Mozilla 1.7 können XPI-Pakete nur mehr von erlaubten Webseiten installiert werden, daher schlägt die Installation von unserer Seite bei einer frischen Installation fehl. Bitte lesen Sie unten stehende Vorbereitungsschritte. Stellen Sie sicher, dass die Einstellung 'Software-Installation' unter den Erweiterten Einstellungen aktiviert ist, sonst lässt sich jedenfalls kein XPI- Paket installieren! Vorbereitung: Sie müssen entweder Installationen von Mozilla deutsch erlauben oder das Paket lokal herunterladen: * Installationen von Mozilla deutsch erlauben: Geben Sie "about:config" in die Adressleiste ein. Suchen Sie in der erscheinenden Liste nach der Eigenschaft "xpinstall.whitelist.add" (fast ganz unten in der alphabetischen Liste).
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • CVE-2021-23987 Published On: 03/31/2021 12:00:00 AM UTC
    CVE-2021-23987 Published on: 03/31/2021 12:00:00 AM UTC Last Modified on: 08/06/2021 06:18:00 PM UTC CVE-2021-23987 Source: Mitre Source: Nist Print: PDF Certain versions of Firefox from Mozilla contain the following vulnerability: Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. CVE-2021-23987 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity. Affected Vendor/Software: Mozilla - Firefox ESR version < 78.9 Affected Vendor/Software: Mozilla - Firefox version < 87 Affected Vendor/Software: Mozilla - Thunderbird version < 78.9 CVSS3 Score: 8.8 - HIGH Attack Attack Privileges User Vector Complexity Required Interaction NETWORK LOW NONE REQUIRED Scope Confidentiality Integrity Availability Impact Impact Impact UNCHANGED HIGH HIGH HIGH CVSS2 Score: 6.8 - MEDIUM Access Access Authentication Vector Complexity NETWORK MEDIUM NONE Confidentiality Integrity Availability Impact Impact Impact PARTIAL PARTIAL PARTIAL CVE References Description Tags Link Mozilla Firefox: Multiple vulnerabilities (GLSA 202104- security.gentoo.org GENTOO GLSA-202104-10 10) — Gentoo security text/html Security Vulnerabilities fixed in Thunderbird 78.9 — www.mozilla.org MISC www.mozilla.org/security/advisories/mfsa2021-12/
    [Show full text]
  • HW 6B
    HW 6b - EECS 481 Josiah Bruner <[email protected]> Project Selected Project The project I have chosen to work on for HW 6 is Mozilla Thunderbird (website: https://www.mozilla.org/en-US/thunderbird/​ GitHub mirror: https://github.com/mozilla/releases-comm-central​) Thunderbird is a cross-platform, client-side, email client which uses Mozilla’s Gecko web rendering engine to control most of the UI and HTML email rendering. It is a large open-source project, serving over 25 million users [1]. Project Context Mozilla Thunderbird can be thought of as a sub-project of the much larger Mozilla project (which contains other products such as Firefox). Originally it was created as part of Mozilla’s internet strategy and was maintained both by volunteers and Mozilla Corporation employees. Eventually though, Mozilla Corporation transitioned Thunderbird to “support only”. Presently Mozilla only provides infrastructure for Thunderbird, but all development, maintenance, and QA is done by volunteers. This is described in more detail in the next section (“Project Governance”). Thunderbird has two primary competing markets. The first are other local email clients, such as Microsoft Outlook, Polymail, and other open source clients (e.g. Evolution Mail). Another competing market are web email clients, such as Gmail. Increasingly users are moving to do all their email activities on a website rather than a local application, but Thunderbird exists to provide a reliable solution for those you don’t want this. It is especially useful if you have many email accounts, as they can all be “merged” together. Project Governance As briefly mentioned above, Thunderbird used to be a full “product” of Mozilla, and so it therefore has a lot of formal processes and governance surrounding it.
    [Show full text]