Lab 2.1: Allowed HTTP Request Methods

Task 1 - Allowed Methods

1. Sign up for an account on Juiceshop by navigating to Account > Login.

   

2. On the following page click on “Not yet a customer?”.

   

3. Complete the user registration fields using f5student@agility.com as your username and click Register

   

4. Login to your account

5. Once logged in navigate to Account > Orders & Payments > My Payment Options

   

6. Add a Card, any numbers will work on Juiceshop, just be sure to use 16 digits and click Submit.

   

7. Delete the card by clicking on the ‘Delete” Icon as seen. Are you able to delete ? Why ?

   

8. Examine the most recent requests in the event log by navigating to Security -> Event Logs -> Applications -> Requests.

   You should see a violation for “Illegal Method”

   

9. In the BIG-IP WebUI navigate to Security -> Application Security -> Headers -> Methods.

   Policy wide Method permissions are configured here.

   

10. If your application requires a method beyond the default three, it can be added by clicking the Create button.

    

Task 2 - Configuring Method on per URL basis

1. Let’s go to our Allowed URLs list Security -> Application Security -> URLs -> Allowed URLs.

2. View the settings for the URLs, notice the method can optionally be specified for the URL while creating:

   

3. Click Create to create a new allowed url as seen below the URL for /api/Cards/*.

   

4. Examine the created URI and switch to the advanced view

5. Select the methods enforcement tab and check override policy allowed methods

6. Slide “DELETE” with a state of allow and click update

7. Click Apply policy

   

8. Attempt to delete the card

9. What is the result, and Why?

   The card is deleted since you now are allowing the DELETE method on the /api/Cards/* uri.

This concludes section 2.1