Lab 3.2: Protection from Parameter Exploits =========================================== In this lab we will look at the parameter protection capability in F5 WAF. F5 WAF can leverage automatic parameter learning using the automatic policy builder feature however in the interest of time, this lab we will be configuring parameters manually. .. seealso:: For more information on Automatic Policy Builder: `https://support.f5.com/csp/article/K75376155` .. |lab3-01| image:: images/lab3-01.png :width: 800px .. |lab3-02| image:: images/lab3-02.png :width: 800px .. |lab3-03| image:: images/lab3-03.png :width: 800px .. |lab3-04| image:: images/lab3-04.png :width: 800px .. |lab3-05| image:: images/lab3-5.png :width: 800px .. |lab3-06| image:: images/lab3-06.png :width: 800px .. |lab3-07| image:: images/lab3-07.png :width: 800px .. |lab3-08| image:: images/lab3-08.png :width: 800px .. |lab3-09| image:: images/lab3-09.png :width: 800px .. |lab3-10| image:: images/lab3-10.png :width: 800px .. |lab3-052| image:: images/lab3-052.png :width: 800px .. |lab3-053| image:: images/lab3-053.png :width: 800px Task 1 - Create Parameters -------------------------- #. Browse to the BIGIP GUI. #. Navigate to **Security -> Application Security -> Parameters List** and click **create**. Create the **email** parameter as seen below and click **create**. |lab3-01| Task 2 - Modify Learning and Blocking ------------------------------------- Navigate to **Security -> Application Security -> Policy Building -> Learning and Blocking Settings** and enable the **Parameters** settings for 'illegal parameter value length' and 'illegal meta character in value' as seen below in the **Policy Building Settings** section. After you have finished making the modifications click **Apply Policy**. |lab3-03| Task 3 - Test Configuration --------------------------- #. Open a new Firefox Private Browsing window and go to the Juiceshop login and login as **f5student@agility.com**. #. Your login attempt should be unsuccessful. #. Examine the recent event logs under **Security -> Event Logs -> Application -> Requests** for the /rest/user/login events. |lab3-052| #. Navigate to **Security -> Application Security -> Policy Building -> Traffic Learning** #. Review the entry for **illegal parameter value length**. |lab3-053| #. Click **Accept Suggestion** and then click **Apply Policy** #. Open a new Firefox Private Browsing window and go to the to Juiceshop login as **f5student@agility.com** #. Your login should be allowed. #. Return to **Security -> Application Security -> Parameters List** Notice that accepting the suggestion for the username parameter has adjusted the maximum-length value to 25. |lab3-06| **This concludes Lab 3.2**