F5 Customer Demo

Using BIG-IP Application Security Manager

(ASM) for Web Vulnerabilities
Document version 12.0.C
Written for: TMOS® Architecture v12.0.0
Virtual images:
BIGIP_A_v12.0
LAMP_4
Windows_7_External

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 4/25/2016

Learn More, Sell More, Sell Faster
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Preparing the BIG-IP Demo Environment

Part 1 – Preparing the BIG-IP Demo Environment

 Required virtual images: BIGIP_A_v12.0, LAMP_4, Windows_7_External
 Estimated completion time: 70 minutes

Task 1 – Configure the Web Application

Provision ASM on the BIG-IP system, and then create a new web application for the DVWA web site.

 In VMware, start up the BIGIP_A_v12.0, LAMP_4, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_A_v12.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.

If you do not have the BIGIP_A_v12.0 image or the clean_install_BIGIP_A_v12.0.ucs

archive file, complete the F5 vLab Setup.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
 Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Application Security (ASM) to Nominal
 Create a pool using the following information, and then click Finished.
Name dvwa_pool
Health Monitor dvwa_monitor
Members Address Service Port
10.1.20.17 80

 Create a new virtual server using the following information, and then click Finished.
Name dvwa_virtual
Destination Address 10.1.10.35:443
HTTP Profile http
SSL Profile (Client) f5demo_client_ssl
Source Address Translation Auto Map
Default Pool dvwa_pool

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 3
 Part 1 – Preparing the BIG-IP Demo Environment

Task 2 – Verify Web Site Vulnerabilities

Use a web browser to access the dvwa_virtual and attempt various well-known attacks against the web site to
determine its current security state.

 On the Windows_7_External desktop, use Internet Explorer to access https://dvwa.vlab.f5demo.com.

 Create a bookmark for the DVWA login page called DVWA.
 Log into DVWA using the following credentials:
Username: admin
Password: password

Command Execution
 On the navigation menu, click Command Execution.
 Type hackazon.f5demo.com into the field and then click submit.
The purpose of this feature is to simply ping a hostname or IP address. This is not a malicious threat to
the web application.
 Type hackazon.f5demo.com; cat /etc/passwd into the field and then click submit.
You have exposed the contents of the passwd file on this web server. With the IP address and a
semi-colon preceding the cat command, you are able to retrieve confidential files on the web server.
The goal of command execution attacks is to be able to run arbitrary commands on the target host
operating system.

SQL Injection
 On the navigation menu, click SQL Injection.
 Type 1 into the field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is
the expected behavior of this feature.
 In the User ID field copy and paste the following, and then click Submit:
%' or 1='1
You are presented with all of the users in the database.
 In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, database () #
The final record displays the database name (dvwa).
 In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, table_name from information_schema.tables #
Every record after “Bob Smith” displays a table named from this database server.
 In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a,
last_name, 0x0a, user, 0x0a, password) from users #
Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive data from the application database, modify database data, or even delete data or the entire
database.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 4
 Part 1 – Preparing the BIG-IP Demo Environment
Cross-Site Scripting
 On the navigation menu, click XSS reflected.
 In the field type your first name and click Submit:
This feature simply returns text that we type into the web page response.
 Copy and paste the following in the field, and then click Submit.
Credit card number: 4111-1111-1111-1111.
Credit card numbers are being sent in cleartext in the HTTP response. This is known as data leakage.
 Copy and paste the following in the field, and then click Submit.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
This information is now stored in the application database and will be presented to all users that
access this comments page. Using cross-site scripting, a hacker could add anything that JavaScript can
do into the field, which then gets inserted into the database.
 Copy and paste the following in the field, and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>
This script redirects the users to a completely different web site. Cross-site scripting is a powerful
exploit because a hacker can insert scipt code into the database. When legitimate users access a web
page that references the database record, their device is then susceptible to the malicious content.

Forceful Browsing
 Change the URL to https://dvwa.vlab.f5demo.com/private.txt.

 Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then run this application file.
These are examples of files that are not accessible through links, but are in fact present within the
web server directory. A forceful browsing attack aims to access resources that are not referenced by
the web application, but are still accessible.
 Close the browser.

Task 3 – Create a Security Policy using the Automatic Policy Builder

Create a security policy for dvwa_virtual using the automatic policy builder.

 In the Configuration Utility, open the Security > Application Security > Security Policies > Active Policies
page, and then click Create.
 Leave the Existing Virtual Server option selected and click Next.
 On the Configure Local Traffic Settings page:
o In the protocol list, select HTTPS.
o In the HTTPS Virtual Server list box, leave dvwa_virtual selected and click Next.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 5
 Part 1 – Preparing the BIG-IP Demo Environment
 Leave the Create a policy automatically (recommended) option selected and click Next.
 On the Configure Security Policy Properties page:
o For Security Policy Name enter dvwa_security_policy.
o From the Security Policy Language list, select Unicode (utf-8), and then click Next.
 On the Configure Attack Signatures page accept all defaults and click Next.
 On the Configure Automatic Policy Building page:
o From the Policy Type list, select Comprehensive.
o Slide the Policy Builder learning speed control to Fast.
o From the Trusted IP Addresses list box, leave Address List selected.
o In the IP Address box, enter 10.1.10.0.
o In the Netmask box, enter 255.255.255.0, and then click Add.

 Click Next, and then click Finish.

 Open the Virtual Servers List page and click dvwa_virtual.
 Open the Security > Policies page.

Application Security Policy is Enabled using dvwa_security_policy.

 From the Log Profile list select Enabled.
 Select Log all requests and click <<, and then click Update.

We will log all requests while we’re in development of the security policy. When the policy is ready to
move to production we would return the configuration to log only illegal requests.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 6
 Part 1 – Preparing the BIG-IP Demo Environment

Task 4 – Create Trusted Learning Suggestions for Automatic Policy Building

Generate trusted learning suggestions using normal web user traffic for the automatic policy builder to use for
building the security policy.

 On the Windows_7_External desktop, use an InPrivate Browsing window and click

the DVWA bookmark.

 Edit the URI to https://dvwa.vlab.f5demo.com and press Enter.

 Click the Refresh button.

 Log into the application, and then click the Refresh button.
 On the navigation menu, click Instructions.
 Click the Copying link, and then click the PHPIDS License link.
 On the navigation menu, click DVWA Security.
 Change the security level to medium, and then click Submit.
 Change the security level to high, and then click Submit.
 Change the security level back to low, and then click Submit.
 On the navigation menu, click PHP Info, and then click the Back button.
 On the navigation menu, click About.
 On the navigation menu, click Command Execution.
 Type hackazon.f5demo.com into the field and then click submit.
 On the navigation menu, click SQL Injection.
 Type 2 into the field, and then click Submit.
 On the navigation menu, click XSS reflected.
 Type your first name into the field, and then click Submit.
 Copy and paste the following in the field, and then click Submit.
Credit card number: 4111-1111-1111-1111.

 On the navigation menu, click SQL Injection (Blind).

 Click Logout, and then close the DVWA page.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 7
 Part 1 – Preparing the BIG-IP Demo Environment
 In the Configuration Utility, open the Security > Application Security > File Types > Allowed File Types
page.
Several file types have been added to the allowed list. When using the automatic policy building,
trusted suggestions are automatically added to the security policy.
 Open the Security > Application Security > URLs > Allowed URLs page.
Every URL you visited has been added to the allowed list.
 Open the Security > Application Security > Parameters > Parameters List page.
Several parameters have been added to the allowed list. For Parameter Value Type, most are set to
Ignore Value, and for Staging they are all still set to Yes. Some parameters are waiting for additional
traffic samples, some have learning suggestions available.

Task 5 – Tighten the Security Policy

Modify the traffic learning and suggestions page by shortening the amount of time it takes to enforce learned
suggestions from trusted IP addresses, and then generate traffic using iMacros for Firefox.

 Open the Security > Application Security> Policy Building > Learning and Blocking Settings page.
 On the right-side of the page, view the Advanced settings.

 Expand Tighten Policy (stabilize).

 For Trusted Traffic, update all of the thresholds to the following, and then click Save.

 Click Apply Policy and then OK.

 On the Windows_7_External desktop, open Firefox and click the iMacros button.

 Open the Rec tab, then click Record, and then click Stop. (NOTE: you are simply ensuring that you have a
new macro named #Current.iim.)
 Right-click #Current.iim and select Edit Macro, and then delete all of the current lines in the macro.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 8
 Part 1 – Preparing the BIG-IP Demo Environment
 Copy and paste the following into the iMacros Editor, and then click Save & Close:
VERSION BUILD=8961227 RECORDER=FX
TAB T=1
URL GOTO=https://dvwa.vlab.f5demo.com/
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:login.php ATTR=NAME:username CONTENT=admin
SET !ENCRYPTION NO
TAG POS=1 TYPE=INPUT:PASSWORD FORM=ACTION:login.php ATTR=NAME:password CONTENT=password
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:login.php ATTR=NAME:Login
URL GOTO=https://dvwa.vlab.f5demo.com/instructions.php
URL GOTO=https://dvwa.vlab.f5demo.com/instructions.php?doc=copying
URL GOTO=https://dvwa.vlab.f5demo.com/instructions.php?doc=PHPIDS-license
URL GOTO=https://dvwa.vlab.f5demo.com/security.php
TAG POS=1 TYPE=SELECT FORM=ACTION:# ATTR=NAME:security CONTENT=%medium
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:seclev_submit
TAG POS=1 TYPE=SELECT FORM=ACTION:# ATTR=NAME:security CONTENT=%high
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:seclev_submit
TAG POS=1 TYPE=SELECT FORM=ACTION:# ATTR=NAME:security CONTENT=%low
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:seclev_submit
URL GOTO=https://dvwa.vlab.f5demo.com/phpinfo.php
BACK
URL GOTO=https://dvwa.vlab.f5demo.com/about.php
URL GOTO=https://dvwa.vlab.f5demo.com/vulnerabilities/exec/
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:ping ATTR=NAME:ip CONTENT=hackazon.f5demo.com
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:ping ATTR=NAME:submit
URL GOTO=https://dvwa.vlab.f5demo.com/vulnerabilities/sqli/
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:# ATTR=NAME:id CONTENT=3
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:Submit
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:# ATTR=NAME:id CONTENT=4
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:Submit
URL GOTO=https://dvwa.vlab.f5demo.com/vulnerabilities/sqli_blind/
URL GOTO=https://dvwa.vlab.f5demo.com/vulnerabilities/xss_r/
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=This<SP>is<SP>the<SP>first<SP>name
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=This<SP>is<SP>the<SP>last<SP>name
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=Credit<SP>card<SP>number:<SP>4111-1111-1111-1111.
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
URL GOTO=https://dvwa.vlab.f5demo.com/hackable/users/gordonb.jpg
URL GOTO=https://dvwa.vlab.f5demo.com/hackable/users/pablo.jpg
URL GOTO=https://dvwa.vlab.f5demo.com/logout.php

 Right-click #Current.iim and select Rename Macro, and name the macro ASM_requests.
 Open the Play tab, and in the Max field type 5, and then click Play (Loop).
 While the macro is running, in the Configuration Utility view the Allowed File Types page, the
Allowed URLs page, and the Parameters List page to view the changes that are taking place.
As the macro continues to run, file types, URLs, and parameters are removed from staging. In addition
the wildcard character for each entity type is removed.
 After the macro has completed close Firefox.
 In the Configuration Utility, click Apply Policy and then OK.
 Use Firefox to open a new Private window.

 Select the ASM_requests.iim iMacro, in the Max field type 5, and then click Play (Loop).

→NOTE: If you receive the blocking response page, close Firefox and then try the two steps
above once more.

 Continue to monitor the Parameters List page.

 IF the id, ip, and/or name parameters are still listed as Ignore Value and/or are still in staging:
o Apply the updated policy.
o Use a new private window in Firefox and play the macro 5 more times.

 Once the id, ip, and name parameters are all listed as User-input value types and are not in staging,
move on to task 6.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 9
 Part 1 – Preparing the BIG-IP Demo Environment

Task 6 – Tune the Security Policy

Further tune the security policy by adding additional signatures, enabling Data Guard, and adding a custom
response page.

 In the Configuration Utility open the Security > Application Security> Policy Building >
Learning and Blocking Settings page.
 From the Learning Mode list select Manual.

This stops the automatic policy builder.

 Expand Attack Signatures, and then click Change.
 Select the Command Execution Signatures, Cross Site Scripting Signatures, and SQL Injection Signatures
checkboxes, and then click Change.
 Clear the Enable Signature Staging checkbox.

 Expand Data Guard, then clear the Block checkbox, and then click Save
This ensures that credit card numbers and social security numbers will be masked, but the pages that
display these masked values will not be blocked by BIG-IP ASM.
 Open the Security > Application Security > Data Guard page.
 Select the Data Guard, Credit Card Numbers, and Mask Data checkboxes, and then click Save.

 Open the Security > Application Security > Policy > Response Pages page.
 From the Response Type list box, select Custom Response.
 Edit the Response Body by copying and pasting the following, and then click Save.
<html><head><title>Illegal Request</title></head>
<body>For security purposes, Lorax Investments has blocked this <font
color=red>illegal request</font>.<br><br>
You can contact our technical support department and supply them with the
following support ID: <b><%TS.request.ID()%></b></body></html>

 Click Apply Policy and then OK.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 10
 Part 1 – Preparing the BIG-IP Demo Environment

Task 7 – Test the Updated Policy

Open the DVWA web site and make attempts that violate the policy, and then view the entries in the ASM
log file.

 On the Windows_7_External desktop, use an InPrivate Browsing window and click the DVWA bookmark,
and then log into the application.
 On the navigation menu, click Command Execution.
 Type lamp.f5demo.com into the field and then click submit.
 Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
The valid request is allowed, while the command execution attempt was blocked by BIG-IP ASM.
 Click on the Back button, and then click SQL Injection.
 Type 4 into the field, and then click Submit.
 In the User ID field type the following and then click Submit:
%' or 1='1
The valid request is allowed, while the SQL Injection attempt is blocked by BIG-IP ASM.
 Click on the Back button, and then click XSS reflected.
 Type the following into the field and then click Submit:
Credit card: 4111-1111-1111-1111.
The credit card number is now masked by BIG-IP ASM.
 Type your last name into the field, and then click Submit.
 Type the following into the field and then click Submit:
<script></script>

 Click the Back button, and then type the following into the field and click Submit:
<iframe></iframe>
The valid request is allowed, while the cross-site scripting attempts are blocked by BIG-IP ASM.
 Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
 Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Both of these forceful browsing attempts are blocked by BIG-IP ASM.
 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Select the blocked vulnerabilities/exec/ entry.
This request was blocked for several reasons, including being recognized as a command execution
attack.
 Close the window, and then select the blocked vulnerabilities/sqli/ entry.
This request was blocked because it was recognized as a SQL injection attack.
 Close the window, and then select the illegal (not blocked) vulnerabilities/xss_r/ entry, and then click
Data Guard: Information leakage detected.
This request wasn’t blocked; however ASM recognized the credit card number in the response and
masked to content, preventing data leakage.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 11
 Part 1 – Preparing the BIG-IP Demo Environment
 Close the window, and then select the earliest blocked vulnerabilities/xss_r/ entry, and then click
Attack signature detected.
This request was blocked because it triggered the XSS script tag signature.
 Close the window, and then select the latest blocked vulnerabilities/xss_r/ entry, and then click
Attack signature detected.
This request was blocked because it triggered the iframe tag signature.
 Close the window, and then select the blocked /private.txt entry.
This request was blocked for several reasons, including being an illegal file type and an illegal URL.
The attack type is buffer overflow and forceful browsing.

Task 8 – Update the Security Policy

Identify URLs and parameters that are being blocked but should be available for users. View the security event
logs to determine why the blocking is taking place. Then update the security policy to enable users to access the
blocked URL and parameters.

 In the DVWA web page click the DVWA bookmark, and then log into the application.
 On the navigation menu, click Upload.
 Click on the Back button, and then on the navigation menu, click Brute Force.
Both pages are blocked because the URLs wasn’t added to the Allowed URLs list. However we need
users to be able to access the Brute Force page.
 In the Configuration Utility, on the Event Logs > Application > Requests page click Go.
 Select the blocked vulnerabilities/brute/ entry.
This request was blocked because it’s an illegal URL. We need users to access this page; therefore
we’ll add it to the Allowed URLs page.
 For the Illegal URL violation, click the Learn button, and then close the View Full Request window.

This navigates to the Traffic Learning page. Notice the Action for this suggestion is to Add URL.
 Click Accept Suggestion, and then click Accept suggestion.
 Open the Allowed URLs page, and then move to the second page of URLs.
The /vulnerabilities/brute/ URL was added to the security policy.
 Click Apply Policy and then OK.
 Reload the blocked page.
Users now have access to the Brute Force page
 In the Username field type admin, and in the Password field type password, and then click Login.
Although we haven’t done anything malicious, the request was blocked.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 12
 Part 1 – Preparing the BIG-IP Demo Environment
 Click on the Back button, and then on the navigation menu, click CSRF.
The user is blocked from accessing the CSRF page. This is the expected behavior of the security policy,
as we do not want users accessing this page.
 In the Configuration Utility, open the Event Logs > Application > Requests page.
 Select the blocked /vulnerabilities/brute/ entry, and then click Illegal parameter.
This request was blocked because there are three parameters on the page that are not included in
the security policy.
 For the Illegal parameter violation, click the Learn button, and then close the View Full Request window.
There are three Illegal parameter suggestions. All three need to be included in the security policy.
 Select the checkboxes for all three suggestions.
Notice the Action for all three suggestions is to Add Parameter.
 Click Accept Suggestions, and then click Accept suggestions.
 Click Apply Policy and then OK.
 In the blocked page click back button, then on the Brute Force page, in the Username field type admin,
and in the Password field type password, and then click Login.
The request, along with the three parameters, is now allowed.
 Close the DVWA page.

Task 9 – Create Several Visits to the Application from a Hacker

Use Mozilla Firefox to record and then play back several attempts to hack the DVWA web application.

 On the Windows_7_External desktop, open a new private window in Firefox.

 In the iMacros page, open the Rec tab, then click Record, and then click Stop.
 Right-click #Current.iim and select Edit Macro.
 Copy and paste the following into the iMacros Editor, and then click Save & Close:
VERSION BUILD=8961227 RECORDER=FX
TAB T=1
URL GOTO=https://dvwa.vlab.f5demo.com/
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:login.php ATTR=NAME:username CONTENT=admin
SET !ENCRYPTION NO
TAG POS=1 TYPE=INPUT:PASSWORD FORM=ACTION:login.php ATTR=NAME:password CONTENT=password
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:login.php ATTR=NAME:Login
URL GOTO=https://dvwa.vlab.f5demo.com/index.php
TAG POS=1 TYPE=A ATTR=TXT:Command<SP>Execution
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:ping ATTR=NAME:ip CONTENT=10.1.20.50;<SP>cat<SP>/etc/passwd
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:ping ATTR=NAME:submit
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:SQL<SP>Injection
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:# ATTR=NAME:id CONTENT=%'<SP>or<SP>1='1
TAG POS=1 TYPE=INPUT:SUBMIT FORM=ACTION:# ATTR=NAME:Submit
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:XSS<SP>reflected
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=Credit<SP>card:<SP>4111-1111-1111-1111.
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=<script></script>
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:XSS<SP>reflected
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:XSS ATTR=NAME:name CONTENT=<iframe></iframe>
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:XSS ATTR=*
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:Upload
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:Insecure<SP>CAPTCHA
URL GOTO=https://dvwa.vlab.f5demo.com
URL GOTO=https://dvwa.vlab.f5demo.com/private.txt
URL GOTO=https://dvwa.vlab.f5demo.com/calc.exe
URL GOTO=https://dvwa.vlab.f5demo.com
TAG POS=1 TYPE=A ATTR=TXT:Logout

 Right-click #Current.iim and select Rename Macro, and name the macro ASM_hacker.
WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 13
 Part 1 – Preparing the BIG-IP Demo Environment
 Open the Play tab, and in the Max field type 80, and then click Play (Loop).
This macro submits several malicious requests to the DVWA web application, including command
execution, forceful browsing, SQL injection, and cross-site scripting.
 Continue through the rest of the exercise while the macro is running.
 In the Configuration Utility, open the > Application > Requests page.
Note the number of blocked or illegal entries.
 Click Go.
ASM continues to block requests during the application attack.
 On your host workstation use a web browser to access and log into https://dvwa.vlab.f5demo.com, and
browse through some of the legal pages.
While under attack ASM continues to process valid requests.

Task 10 – View the Security Reports

View the built-in BIG-IP ASM security reports.

 In the Configuration Utility, open the Security > Reporting > Application > Charts page.

→NOTE: It will take several minutes for all of the transaction data to load.

 In the Details section, click /Common/dvwa_security_policy, then click <Unassigned>, and then
click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server.
 In the Details section, clear the Overall checkbox.

 Change the Chart type to Stacked, and the Time Period to Last Hour.
 In the Details section, click Blocked.
These are the attack types that were blocked by ASM while you ran the macro.
 From the Time Period list select Custom.
 Use the Custom Time Period options to select the past 15 minutes only, and then click Update.
 Navigate back to Security Policy, and then click Collapse Advanced Filters.

 From the Advanced Filter list box, select Top attacks in last hour.
 From the Advanced Filter list box, select Top blocked URLs.
This displays the URLs that ASM protected and how many times malicious attacks were blocked.
 From the Advanced Filter list box, select Top violations in last hour.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 14
 Part 1 – Preparing the BIG-IP Demo Environment

Task 11 – Edit the Virtual Server and Create an Archive File

 Open the Virtual Servers List page and, click dvwa_virtual, and then open the Security > Policies page.
 In the Application Security Policy list box, select Disabled, and then click Update.
 Create an archive file named demo_asm_web_vulnerabilities_v12.0.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 15
 Part 2 – Delivering the BIG-IP Demo to a Customer

Part 2 – Delivering the BIG-IP Demo to a Customer

 Required virtual images: BIGIP_A_v12.0, LAMP_4, Windows_7_External
 Required archive file: demo_asm_web_vulnerabilities_v12.0.ucs
 Estimated completion time: 45 minutes

Task 1 – Prepare for the Demo

Restore the archive file you created in Part 1.

 In VMware, start up the BIGIP_A_v12.0, LAMP_4, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs demo_asm_web_vulnerabilities_v12.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated
license.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

Task 2 – Verify Web Site Vulnerabilities

Use a web browser to access the dvwa_virtual and attempt various well-known attacks against the web site to
determine its current security state.

 On the Windows_7_External desktop, use an InPrivate Browsing window and click the DVWA bookmark,
and then log into the application.

Command Execution
 On the navigation menu, click Command Execution.
 Type hackazon.f5demo.com into the field and then click submit.
Users type a hostname or IP address in this field and submit it. The hostname or IP address is sent to
the web server. The web server then pings the hostname or IP address and displays the results.
 Type hackazon.f5demo.com; cat /etc/passwd into the field and then click submit.
With the IP address and a semi-colon preceding the cat command, you have exposed the contents of
the passwd file on this web server. This is not the intended use of this field, and it is a target for
hackers to exploit. The goal of command execution attacks is to be able to run arbitrary commands on
the target host operating system.

SQL Injection
 On the navigation menu, click SQL Injection.
 Type 2 into the field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is
the expected behavior of this feature.
WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 16
 Part 2 – Delivering the BIG-IP Demo to a Customer
 In the User ID field copy and paste the following, and then click Submit:
%' or 1='1
You are presented with all of the users in the database.
 In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a,
last_name, 0x0a, user, 0x0a, password) from users #
Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password
(in a hash format) of a different user in the users table. A successful SQL injection exploit can read
sensitive data from the application database, modify database data, or even delete data or the entire
database.

Cross-Site Scripting
 On the navigation menu, click XSS reflected.
 In the field type the customer’s first name and click Submit:
This feature simply returns text that we type into the web page response..
 Copy and paste the following in the field, and then click Submit.
Credit card number: 4111-1111-1111-1111.
Credit card numbers are being sent in cleartext in the HTTP response. This is known as data leakage.
 Copy and paste the following in the field, and then click Submit.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
This information is now stored in the application database and will be presented to all users that
access this comments page. Using cross-site scripting, a hacker could add anything that JavaScript can
do into the field, which then gets inserted into the database.
 Copy and paste the following in the field, and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>
This script redirects the users to a completely different web site. Cross-site scripting is a powerful
exploit because a hacker can insert JavaScript code into the database. When legitimate users access a
web page that references the database record, their device is then susceptible to the malicious
content.

Forceful Browsing
 Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
 Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then cancel the download, and then
close the browser.
These are examples of files that are not accessible through links, but are in fact present within the
web server directory. A forceful browsing attack aims to access resources that are not referenced by
the web application, but are still accessible.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 17
 Part 2 – Delivering the BIG-IP Demo to a Customer

Task 3 – Add a Security Policy to the Virtual Server

We have already created a security policy based on normal, expected user traffic for the DVWA web site. We
will now attach that security policy to the virtual server.

 In the Configuration Utility, open the Virtual Servers List page and click dvwa_virtual.
This virtual server was created prior to this demonstration. We used this virtual server to access the
DVWA web application.
 Open the Security > Policies page.
 From the Application Security Policy list box, select Enabled, and then click Update.
By default, BIG-IP ASM will use dvwa_security_policy as it’s the only configured security policy on this
BIG-IP system. I created this security policy earlier from normal, expected user traffic.
 Open the Security > Application Security > Security Policies > Active Policies page.
The dvwa_security_policy is in the Blocking enforcement mode.
 Click dvwa_security_policy, then open the Tree View page, then expand /vulnerabilities/brute.
The Tree View page displays all of the allowed URLs and parameters for this web application.
 Open the Security > Application Security > Policy > Response Pages page.
This page enables us to create a custom blocking response page for malicious users.
 In the Response Body, edit the text Lorax Investments with the customer’s name, and then click Save.
 Click Apply Security Policy and then OK.
When updating a security policy with BIG-IP ASM, you must always click Apply Policy to see the
changes in the application.

Task 4 – Re-Attempt to Hack the DVWA Web Site

We will re-access the DVWA web site and try all of the same malicious attacks that we illustrated a few
moments ago.

 On the Windows_7_External desktop, use an InPrivate Browsing window and click the DVWA bookmark,
and then log into the application.
 On the navigation menu, click Command Execution.
 Type hackazon.f5demo.com into the field and then click submit.
 Type hackazon.f5demo.com; cat /etc/passwd into the field and then click submit.
The valid request is allowed, while the command execution attempt was blocked by BIG-IP ASM.
Notice the custom blocking page.
 Click on the Back button, and then click SQL Injection.
 Type 4 into the field, and then click Submit.
 In the User ID field type the following and then click Submit:
%' or 1='1
The valid request is allowed, while the SQL Injection attempt is blocked by BIG-IP ASM.
 Click on the Back button, and then click XSS reflected.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 18
 Part 2 – Delivering the BIG-IP Demo to a Customer
 Copy and paste the following into the field and then click Submit:
Credit card: 4111-1111-1111-1111.
The credit card number is now masked by BIG-IP ASM. This prevents data leakage of sensitive user
data.
 Type the customer’s last name into the field, and then click Submit.
 Type the following into the field and then click Submit:
<script></script>

 Click the Back button, and then type the following into the field and click Submit:
<iframe></iframe>
The valid request is allowed, while the cross-site scripting attempts are blocked by BIG-IP ASM.
 Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
 Change the URL to https://dvwa.vlab.f5demo.com/calc.exe.
Both of these forceful browsing attempts are blocked by BIG-IP ASM.
 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Select the blocked vulnerabilities/exec/ entry.
This request was blocked for several reasons, including being recognized as a command execution
attack.
 Close the window, and then select the blocked vulnerabilities/sqli/ entry.
This request was blocked because it was recognized as a SQL injection attack.
 Close the window, and then select the illegal (not blocked) vulnerabilities/xss_r/ entry, and then click
Data Guard: Information leakage detected.
This request wasn’t blocked; however ASM recognized the credit card number in the response and
masked to content, preventing data leakage.
 Close the window, and then select the earliest blocked vulnerabilities/xss_r/ entry, and then click
Attack signature detected.
This request was blocked because it triggered the XSS script tag signature.
 Close the window, and then select the latest blocked vulnerabilities/xss_r/ entry, and then click
Attack signature detected.
This request was blocked because it triggered the iframe tag signature.
 Close the window, and then select the blocked /private.txt entry.
This request was blocked for several reasons, including being an illegal file type and an illegal URL.
The attack type is buffer overflow and forceful browsing.

Task 5 – Update the Security Policy

Identify URLs and parameters that are being blocked but should be available for users. View the security event
logs to determine why the blocking is taking place. Then update the security policy to enable users to access the
blocked URL and parameters.

 In the DVWA web page click the DVWA bookmark, and then log into the application.
 On the navigation menu click CSRF.
The user is blocked from this page, however we need users to be able to access this page.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 19
 Part 2 – Delivering the BIG-IP Demo to a Customer
 Click the Back button, and then click SQL Injection (Blind).
 Type 5 into the field, and then click Submit.
The user has access to this page but was blocked from submitting data using the field. We need users
to be able to submit information using this form field.
 Leave the blocked page open.
 In the Configuration Utility, on the Event Logs > Application > Requests page click Go.
 Select the blocked vulnerabilities/csrf/ entry.
This request was blocked because it’s an illegal URL. We need users to access this page; therefore
we’ll add it to the Allowed URLs page.
 For the Illegal URL violation, click the Learn button, and then close the View Full Request window.
This navigates to the Traffic Learning page. Notice the Action for this suggestion is to Add URL.
 Click Accept Suggestion, and then click Accept suggestion.
 Open the Allowed URLs page, and then move to the second page of URLs.
The /vulnerabilities/csrf/ URL was added to the security policy.
 Open the Event Logs > Application > Requests page.
 Select the blocked vulnerabilities/sqli_blind/ entry, and then click Illegal parameter.
This request was blocked because there are two parameters on the page that are not included in the
security policy.
 For the Illegal parameter violation, click the Learn button, and then close the View Full Request window.
There are two Illegal parameter suggestions. Both need to be included in the security policy.
 Select the checkboxes for both suggestions.
Notice the Action for both suggestions is to Add Parameter.
 Click Accept Suggestions, and then click Accept suggestions.
 Click Apply Policy and then OK.
 In the DVWA page click the Back button, then type a 5 into the field, and then click Submit.
Users can now interact with the web application using this form field.
 On the navigation menu, click CSRF.
Users now have access to the CSRF page.
 Close the DVWA page.

Task 6 – Create Several Visits to the Application from a Hacker

Use Mozilla Firefox to record and then play back several attempts to hack the DVWA web application.

 On the Windows_7_External desktop, open a new private window in Firefox.

 If it’s not already displayed, enable the iMacros pane.
 In the iMacros bar select asm_hacker.iim, and in the Max box, type 80, and then click Play (Loop).
This macro is making several illegal requests to the web application. You can see that they are all
receiving a blocking response page.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 20
 Part 2 – Delivering the BIG-IP Demo to a Customer
 Continue through the rest of the exercise while the macro is running.
 In the Configuration Utility, open the > Application > Requests page.
Note the number of blocked or illegal entries.
 Click Go.
ASM continues to block requests during the application attack.
 On your host workstation use a web browser to access and log into https://dvwa.vlab.f5demo.com, and
browse through some of the legal pages.
While under attack ASM continues to process valid requests.

Task 7 – View the PCI Compliance Report

Use the PCI Compliance report to determine where the web application is missing required security for
compliancy.

 Open the Security > Reporting > Application > PCI Compliance page.
The PCI Compliance report identifies security measures required to comply with PCI-DSS 3.0.
It indicates which measures are met, which are not met, which are not relevant.
 Click Assign a unique ID to each person with computer access.
In order to meet PCI compliance, we need to have unique user IDs for all BIG-IP system
administrators.
 Click Do not use vendor-supplied defaults for system passwords and other security parameters.
In order to meet PCI compliance, we cannot use the default passwords for the built-in admin and root
usernames.
 To fix this compliance issue, in the Default Users section, click on the root username.
o Update the root password to dvwa
o Update the admin password to dvwa, then click Update, and then click OK.
 Log back into the BIG-IP system using the new password.
 Open the System > Users > User List page, and then click Create.
 Create a new user account using the following information, and then click Finished.
User Name your first name
Password your last name (all lowercase)
Role Role: Administrator
Partition Partition: All
(Click Add)
Terminal Access Advanced shell

 Open the Security > Reporting > Application > PCI Compliance page.
We have now met all of the security measures required for PCI compliance.
 Click Printable Version, and then open the PDF.
 Scroll down to the Known vulnerabilities protection section.
Customers can keep this PDF in their records to verify that they’ve met their PCI compliance
requirements.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 21
 Part 2 – Delivering the BIG-IP Demo to a Customer

Task 8 – View the Security Logs and Security Reports

View the built-in BIG-IP ASM security reports.

 In the Configuration Utility, open the Security > Reporting > Application > Charts page.
 In the Details section, click /Common/dvwa_security_policy, then click <Unassigned>, and then
click /Common/dvwa_virtual.
This displays the number of legal, blocked, and alarmed requests for this virtual server.
 In the Details section, clear the Overall checkbox.
 Change the Chart type to Stacked, and the Time Period to Last Hour.
 In the Details section, click Blocked.
These are the attack types that were blocked by ASM while you ran the macro.
 From the Time Period list select Custom.
 Use the Custom Time Period options to select the past 15 minutes only, and then click Update.
 Click Collapse Advanced Filters.
 Navigate back to Security Policy.
 From the Advanced Filter list box, select Top attacks in last hour.
 From the Advanced Filter list box, select Top blocked URLs.
This displays the URLs that ASM protected and how many times malicious attacks were blocked.
 From the Advanced Filter list box, select Top violations in last hour.

That concludes this demonstration on using BIG-IP ASM to block common web vulnerabilities.

WWFE vLab Guides – Demo: Using ASM for Web Vulnerabilities; v12.0.C Page | 22