How To: Define sensitive parameters on BIG-IP Next Central Manager¶
Define parameters in a security policy, to increase the security of the web application and prevent web parameter tampering.
The following provides examples of how to set sensitive parameters within your WAF policy to protect against, client/server-side tampering attacks, uploading malicious files, or SSRF attacks.
For more information about parameters in a WAF policy, see Overview: Parameters For general configuration of parameters, see Manage Parameters
Sample applications for secure parameters¶
Prerequisites¶
To define parameters you must have the following:
A WAF policy configured.
A WAF policy configured to log events.
A WAF-protected application deployed to a BIG-IP Next instance.
To review parameter protection in traffic: Ensure the WAF-protected application is receiving traffic.
Protect user input parameters from tampering attack¶
Define the valid user input parameter that the user browser can send so WAF will protect against parameter manipulation attacks.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Parameters.
CLick + Create.
Enter a parameter Name.
Select a Parameter Type:
Explicit - The policy identifies the parameter by its specific name.
Wildcard - The policy identifies the parameter by regular expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
Note: The pure wildcard (*) is automatically added to the policy so you do not need to add it. You can add more specified wildcards such as *site.com. See Wildcard syntax for more information.
Select a Location where the parameter is found in the request:
Query String - Parameter is found as a query string in the request.
Form Data - Parameter is found in the form data of the request.
Select the User Input parameter Value Type.
Select the Alpha-Numeric parameter Data Type, and set the Minimum Length and Maximum Length.
Complete the parameter settings according to the enforcement and related parameter violations.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
The parameter is now defined in the policy and detected in traffic to your attached applications. To ensure that the policy is protecting the application’s parameter as expected, review the event logs by policy or application name.
Protect against malicious file upload to protect against remote code execution attacks¶
In some cases, an attacker may attempt to upload binary executable content to your web application. After executable content is successfully uploaded to the web server, the attacker can attempt to run the program to gain remote access to the server or spread malware to application users.
Define the file upload parameters in order to protect against the upload files containing binary executable content that could be malicious and used by attackers to gain remote code execution.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Parameters.
CLick + Create.
Enter a parameter Name.
Select a Parameter Type:
Explicit - The policy identifies the parameter by its specific name.
Wildcard - The policy identifies the parameter by regular expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
Note: The pure wildcard (*) is automatically added to the policy so you do not need to add it. You can add more specified wildcards such as *site.com. See Wildcard syntax for more information.
Select a Location where the parameter is found in the request:
Query String - Parameter is found as a query string in the request.
Form Data - Parameter is found in the form data of the request.
Select the User Input parameter Value Type.
Select the File Upload parameter Data Type, and enable Disallow File Upload of Executables.
Complete the parameter settings according to the enforcement and related parameter violations.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
The parameter is now defined in the policy and blocks requests that trigger a violation when users attempt to upload binary executable content to the application. To ensure that the policy is protecting the application’s parameter as expected, review the event logs for Disallowed file upload content detected violations.
Attack signature exception on specific parameters to reduce false positives¶
Override detection of certain attack signatures on parameters to reduce false positives.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Parameters.
CLick + Create.
Enter a parameter Name.
Select a Parameter Type:
Explicit - The policy identifies the parameter by its specific name.
Wildcard - The policy identifies the parameter by regular expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
Note: The pure wildcard (*) is automatically added to the policy so you do not need to add it. You can add more specified wildcards such as *site.com. See Wildcard syntax for more information.
Select a Location where the parameter is found in the request:
Query String - Parameter is found as a query string in the request.
Form Data - Parameter is found in the form data of the request.
Select the Auto Detect parameter Value Type.
Complete the parameter settings according to the enforcement and related parameter violations.
In the Overridden Signatures area, click Add Signature Override.
Use the filter in the panel to search the signature by ID number or Signature Name.
Select the check box next to the signature row.
Note: You can select multiple signatures.
Click Add.
Confirm the action.
The signature(s) is immediately added to the URL’s Overridden Signatures list.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
The parameter is now defined in the policy and detected signatures in the parameters are allowed in the requests to your application.
Define the parameters to protect against SSRF attack¶
Define the parameters to protect against SSRF (Server-Side Request Forgery) attacks.
The following defines the parameters used to detect an SSRF attack. For more information about configuring SSRF protection in your WAF policy, see Manage SSRF protection.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Parameters.
CLick + Create.
Enter a parameter Name.
Select a Parameter Type:
Explicit - The policy identifies the parameter by its specific name.
Wildcard - The policy identifies the parameter by regular expression. Any parameter name that matches the wildcard expression is permitted by the security policy.
Note: The pure wildcard (*) is automatically added to the policy so you do not need to add it. You can add more specified wildcards such as *site.com. See Wildcard syntax for more information.
Select a Location where the parameter is found in the request:
Query String - Parameter is found as a query string in the request.
Form Data - Parameter is found in the form data of the request.
Select the Auto Detect parameter Value Type.
To log, but allow, requests even with the detected parameter, enable Staging. If you would like to enforce the parameter, do not enable this option.
Complete the parameter settings according to the enforcement and related parameter violations.
Click Save. The parameter is added to your policy, but is not yet deployed.
From the left menu, select SSRF.
To ensure you are protected against SSRF attacks, add SSRF hosts and response actions.
In the Parameters area, click Add Parameters or Manage Parameters to view the added parameter and confirm its enforcement status.
Click Deploy to deploy changes.
The parameter is now used to detect SSRF attack in requests to your application.