F5 Networks ASM Advanced Mitigation Techniques Lab Guide Participant Hands-on Lab Guide Last Updated: 04.2017 ©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You may not share these training materials and documentation with any third party without the express written permission of F5. pg. 2 Table of Contents Lab Environment and Setup ................................................................................................................................... 3 Lab 1 – Bot Signatures and Proactive Bot Defense ................................................................................................ 4 Exercise 1 – Bot Signatures..................................................................................................................................... 4 Step 1 – Configure DoS Profile ............................................................................................................................................ 4 Step 2 – Launch and Observe Simple Bot Attacks ............................................................................................................... 5 Exercise 2 – Custom Bot Signatures ....................................................................................................................... 6 Step 1 – Unknown “Bot” Attack .......................................................................................................................................... 6 Step 2 – Custom Bot Signature ........................................................................................................................................... 6 Step 3 – Run the Unknown “Bot” Attack Again .................................................................................................................. 7 Exercise 3 – Proactive Bot Defense ........................................................................................................................ 8 Step 1 – Enable Proactive Bot Defense ............................................................................................................................... 8 Step 2 – Launch and Observe Attack .................................................................................................................................. 9 Exercise 4 – Blocking and Validating Suspicious Browsers ................................................................................... 10 Step 1 – Edit DoS Profile ................................................................................................................................................... 10 Step 2 – Launch and observe attack. ................................................................................................................................ 11 Exercise 5 – Blocking Credential Stuffing with Proactive Bot Defense ................................................................ 13 Step 1 – Review Sentry MBA Config .................................................................................................................................. 13 Step 2 – Launch a Cred Stuffing attack ............................................................................................................................. 16 Step 3 – Block SentryMBA with Proactive Bot Defense .................................................................................................... 19 Lab 2 – Evasion Techniques .................................................................................................................................. 21 Exercise 1: Setup and Determining Vulnerability ................................................................................................. 21 Step 1 - Burp Suite Proxy ................................................................................................................................................... 21 Step 2 - Create Policy ......................................................................................................................................................... 21 Step 3 - Determining Cross Site Script (XSS) Vulnerability ................................................................................................. 22 Exercise 2: Testing ASM with Evasion Techniques ............................................................................................... 25 Step 1 – Testing the XSS through ASM .............................................................................................................................. 25 Step 2 – Obfuscation – URL Encoding ................................................................................................................................ 26 Step 3 – Obfuscation – String Manipulation ...................................................................................................................... 30 Lab 3 - Cross Site Request Forgery Protection ..................................................................................................... 34 Exercise 1 – Review CSRF Attack Page ................................................................................................................. 34 Step 1 – Login ................................................................................................................................................................... 34 Step 2 – Configure CSRF Protection .................................................................................................................................. 36 pg. 1 Step 3 – Inspect CSRF Protection ...................................................................................................................................... 37 Lab 4 - Protecting JSON applications with ASM ................................................................................................... 40 Exercise 1 – Review JSON App .............................................................................................................................. 40 Step 1 – Review JSON POST in Burp Suite ......................................................................................................................... 40 Exercise 2 – Manipulate JSON Request data ........................................................................................................ 42 Step 1 – Change credentials ............................................................................................................................................. 42 Step 2 – SQL Injection ....................................................................................................................................................... 44 Exercise 3 – Blocking malicious JSON with ASM................................................................................................... 45 Step 1 – Create and Apply an ASM policy ......................................................................................................................... 45 Step 2 – Re-try SQL Injection ............................................................................................................................................. 46 Exercise 4 – ASM Content Profiles ....................................................................................................................... 48 Step 1 – Review JSON Content Profile ............................................................................................................................... 48 Step 2 – Enforce signatures and re-try SQLi Attack .......................................................................................................... 49 Exercise 5 – JSON Format Validation .................................................................................................................... 51 Step 1 – Attempt a XSS Attack .......................................................................................................................................... 51 Lab 5 - Websocket Protection .............................................................................................................................. 52 Exercise 1 – Review TaxiApp and F5 Config ......................................................................................................... 52 Step 1 – Associate WebSocket Profile ............................................................................................................................... 52 Step 2 – Review TaxiApp ................................................................................................................................................... 53 Step 3 – Attack TaxiApp .................................................................................................................................................... 54 Exercise 2 – WebSocket Protection ...................................................................................................................... 55 Step 1 – Create ASM WebSocket Policy ............................................................................................................................ 55 Lab 6 – ASM