Lab 3.1: DataSafe

F5 Advanced WAF includes DataSafe which can protect your web applications from credential theft by MITB malware. In this exercise you will configure DataSafe to protect the Juiceshop login page from credential theft.

Task 1 - Login Observation

1. Open a new Firefox Private Browsing window and go to the to Juiceshop login page by clicking account and then login in the upper right hand corner of the page

2. Right click in the email field and choose inspect element (or use CTRL + SHIFT + N). Notice the form field is visible and is named email

   

   

3. Right click in the password field and choose ‘inspect element’. Notice the form field is visible and is named ‘password’

   

4. Click in the Network tab in the Firefox Inspector

5. Login to the Juiceshop application as f5student@agility.com

6. In the Firefox Inspector Network tab find the POST request to /rest/user/login. Notice the username and password are in clear text in the request and are in a JSON format.

   

Task 2 - Configuring DataSafe

1. Browse to the BIGIP GUI.

2. Navigate to Security -> Data Protection -> BIG-IP Data Safe and click + to create a new profile.

3. Name the new Data Safe profile datasafe-341-profile .

   

4. Add 2 urls with settings seen below (notice case on url must be all lowercase)

   

   

   

   

   

5. Add parameter email as seen below to the /rest/user/login url.

   

6. Apply Data Safe Profile to the owasp-juiceshop_443_vs Virtual Server and remove any WAF or other policies.

   

Task 3 - Test Data Safe Configuration

1. Open a new Firefox Private Browsing window and go to the to Juiceshop login page

2. Login to the Juiceshop application as f5student@agility.com

3. In the Firefox Inspector Network tab find the POST request to /rest/user/login. Notice the JSON username and password fields are no longer in clear text.

   

This concludes Lab 3.1.