Beruflich Dokumente
Kultur Dokumente
The purpose of this demo is to show how to create an ASM security policy that will protect a web application
against cross-site scripting attacks. You’ll start by showing several cross-site scripting attacks on a vulnerable
web site. You’ll then create a security policy using the Rapid Deployment policy template. You’ll then show the
same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM logs to view the attack
signatures that were detected by ASM.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 2 – Delivering the Demo to a Customer
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Open an InPrivate Browsing window (IE) and click the DVWA bookmark.
WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 3
Part 2 – Delivering the Demo to a Customer
Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
Using cross-site scripting, a hacker could add anything that JavaScript can do into the field.
Create another entry named iFrame, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
The hacker used an iframe to display a different web site on this web page. All users will see this page
when they access this comments page.
Create another guestbook entry named Encoding, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%6
6%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%
67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b
%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%6
5%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
The contents of this attack are encoded, designed to bypass security measures. Cross-site scripting is
a powerful exploit because a hacker can insert any form of script code into the database.
Click Setup, then click Create / Reset Database, and then click Logout.
In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
Select the Advanced options.
Use the following information for the new policy, and then click Create Policy.
Policy Name xss_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Enforcement Mode Blocking
Signature Staging Disabled
WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 4
Part 2 – Delivering the Demo to a Customer
Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
Click the DVWA bookmark, then click XSS stored, then create an entry named iFrame, then copy and
paste the following Message, and then click Sign Guestbook.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
Click the DVWA bookmark, then click XSS stored, then create a guestbook entry named Encoding, then
copy and paste the following Message, and then click Sign Guestbook.
%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%6
9%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%
65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68
%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2
f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
From the very easy to configure security policy, all the web application user input fields are now
protected against cross-site scripting attacks.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Note the number of blocked entries.
Select the /login.php log entry.
Click Attack signature detected.
We can view the different attack signatures that were detected, the actual parameter that was
attacked (username), and the value that was input by the malicious user.
Examine the attack type.
This was identified as a Cross Site Scripting (XSS) attack.
WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 5
Part 2 – Delivering the Demo to a Customer
Click on the triangle icon after Cross Site Scripting (XSS).
That concludes this demonstration on using BIG-IP ASM to block cross-site scripting attacks.
WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 6