Lab 1 - Explore DVGA Attack Types and Execute Some Attacks

Objective

Familiarize yourself with DVGA and Challenge Solutions

Connect to the Linux Client

Note

All steps in this lab exercise will be performed from the Linux jump host.

  1. On your UDF page, go to your Client component, click the Access drop down menu and choose RDP
  2. RDP to the Linux Client by choosing the RDP access method from your UDF environment page.

user: f5student password: f5DEMOs4u!

../../_images/rdp.png

Note

you should only need to enter the password, the username should be auto-populated.

Explore DVGA

  1. Once logged in, launch Chrome Browser and go to http://dvga.f5appworld.com.
  2. Scroll down to “Got Stuck?” section and click “Solutions” link.
../../_images/dvga_stuck.png
  1. Select an attack type…in this case select “Batch Query Attack”
../../_images/challenge_s.png
  1. Click the green “Show” button.
../../_images/batch_query.png

Note

Each solution may show a script or just a graphQL payload to use to execute the attack. If it shows a script, you will find a script file matching that attack type in the /graphql directory in the user’s home directory. If the solution shows a GraphQL payload you may choose either the GraphiQL Chrome extension or Burp Suite to execute the attack. After each attack you should review the WAF logs to see the results and which violations triggered. See the “Review Waf Logs” section at the end of Lab 2 for instructions.

Execute an attack via a python script

  1. Open Terminal on the Linux jump host
  2. cd graphql
  3. python3 <script name>
../../_images/py_term.png

Execute an attack using the GraphiQL Chrome extension

  1. Copy the graphQL payload from the Solution
../../_images/deep_recur.png
  1. Open GraphiQL Chrome extension
  2. Enter http://dvga.f5appworld.com/graphql into the target field
    1. Paste the graphql payload from solution
  4. Send the request
../../_images/graphiql.png

Execute an attack using the Burp Suite

  1. Open Burp Suite from the desktop icon
../../_images/burp2.png
  1. Click “Next” and “Start Burp”.
  2. Go to the “InQL” Burp extension tab.
  3. Enter http://dvga.f5appworld.com/graphql in the GraphQL Endpoint field.
  4. Click “Analyze”

Note

This will run introspection on DVGA and return the entire schema. You should see violations in the WAF logs for this.

  1. You should now see a directory for DVGA in the schema folders below.
  2. Expand the DVGA folder and the date-specific folder.
  3. Select the request type that best matches the attack payload youa re trying to use.
  4. In the GraphQL paylod area to the right, right-click and select “Send to Repeater”
../../_images/inql.png
  1. Select the “Repeater” tab
  2. Paste the attack paylod from the SOlution into the Request area.
  3. Click “Send”
  4. Review the response.
../../_images/repeater.png

Review WAF Logs

  1. In Chrome on the Linux jump host, go to the F5 Advanced WAF shortcut and Login

user: admin

password: f5demos4u!

  1. Navigate to the WAF Request Logs screen
  2. Select the request with your most recent attack
  3. Review the request and any GRAPHQL violations that may have triggered.
../../_images/waf_log.png

Congratulations! You have just completed Module 3