Create Base WAF Child Policy

Task 1 - Simulate attacks to demonstrate common web app vulnerabilities.

  1. Open browser and go to https://<Elastic IP> to access the Hackazon website

  2. Under Special selection click on any sale item displayed

  3. Note the product id in the browser address bar

    ../../_images/image392.png

  4. In the browser address bar append or 1=1 then press Enter

    ../../_images/image393.png

    Note

    This is a common sql injection attack and although this did not return anything exciting the search request was accepted and processed with response.

  5. In the Search field enter <script>alert(“Your system is infected! Call 999-888-7777 for help.”)</script> and press Enter

    Note

    This is a common Cross-site scripting (XSS) attack and although this did not return anything exciting the search request was accepted and processed with response.

    Also some modern versions of browsers will block this request from displaying a response, but the request was actually sent to the application. If Chrome blocks it you can try on another browser.

Task 2 - Create new waf policy to mitigate the vulnerabilities using info on table below:

Policy Name waf_baseOnly
Policy Type Security
Parent Policy waf_base
Virtual Server hackazon_vs
Enforcement Mode Blocking

  1. Select the Security->Application Security->Security Policies->Policies List page

  2. Click Create New Policy

  3. Select Advanced options

  4. For Policy Name enter waf_baseOnly

  5. For Policy Type select Security

  6. For Parent Policy enter waf_base

  7. Select OK to accept warning

  8. For Virtual Server select hackazon_vs

  9. Change Enforcement Mode to Blocking

    ../../_images/image311.png

  10. Click Create Policy

    ../../_images/image312.png

    Note

    This creates a child security policy which inherits the settings from the waf_base Parent Policy. The parent policy settings was created using Rapid Deployment Template which includes several common security measures and thousands of attack signatures. Signature Staging is Disabled for this lab demo but most likely will be enabled for production environments.

Task 3 - Test WAF policy.

  1. Select the Local Traffic->Virtual Servers->Virtual Servers List page

  2. Click the hackazon_vs to display Virtual Server Properties

  3. Click the Security->Policies tab to display Policy Settings

  4. In the Log Profile ensure waf_log profile is selected

  5. Select update

    ../../_images/image313.png

  6. Open browser and go to https://<Elastic IP>/product/view?id=101 or 1=1. You should receive a block message similar to below. Take note of the Support ID number.

    ../../_images/image314.png

  7. Return to hackazon main page

  8. In the Search field type <script>alert(“Your system is infected! Call 999-888-7777 for help.”)</script> and press Enter. You should see a similar block message. Take note of the Support ID number.

Task 4 - Review WAF event logs on BIG-IP GUI.

  1. Select the Security->Event Logs->Application->Requests page

  2. Select the Event with the matching Support ID noted on the block pages

    ../../_images/image315.png

    Note

    You can view the “Decoded Requests” and the “Original Request” however the “Response” is not captured by default.

  3. Select Attack Signatures Detected to view details of the request that triggered the violation.

    ../../_images/image316.png