F5 Web Application Firewall Solutions > WAF 341 – Advanced Protection and Positive Security (Self Guided) > Module 2: HTTP Methods, DataGuard, Sensitive Data Source | Edit on
Lab 2.1: Allowed HTTP Request Methods¶
Task 1 - Allowed Methods¶
Sign up for an account on Juiceshop by navigating to Account > Login.
On the following page click on “Not yet a customer?”.
Complete the user registration fields using f5student@agility.com as your username and click Register
Login to your account
Once logged in navigate to Account > Orders & Payments > My Payment Options
Add a Card, any numbers will work on Juiceshop, just be sure to use 16 digits and click Submit.
Delete the card by clicking on the ‘Delete” Icon as seen. Are you able to delete ? Why ?
Examine the most recent requests in the event log by navigating to Security -> Event Logs -> Applications -> Requests.
You should see a violation for “Illegal Method”
In the BIG-IP WebUI navigate to Security -> Application Security -> Headers -> Methods.
Policy wide Method permissions are configured here.
If your application requires a method beyond the default three, it can be added by clicking the Create button.
Task 2 - Configuring Method on per URL basis¶
Let’s go to our Allowed URLs list Security -> Application Security -> URLs -> Allowed URLs.
View the settings for the URLs, notice the method can optionally be specified for the URL while creating:
Click Create to create a new allowed url as seen below the URL for /api/Cards/*.
Examine the created URI and switch to the advanced view
Select the methods enforcement tab and check override policy allowed methods
Slide “DELETE” with a state of allow and click update
Click Apply policy
Attempt to delete the card
What is the result, and Why?
The card is deleted since you now are allowing the DELETE method on the /api/Cards/* uri.
This concludes section 2.1