Web Application Security

Radovan Gibala
Senior Field Systems Engineer
F5 Networks
r.gibala@f5.com
 The New Perimeter Is An App Perimeter

Network Threats Application Threats

25% 90% 75% 10%

of attacks are of security of attacks are of security
focused here investment focused here investment

© F5 Networks, Inc Source: Gartner 2

 …resulting in an unprecedented increase in attacks
Source of data breaches

© F5 Networks, Inc Source: Based on aggregated data from IT Business Edge, Krebs on Security, Security Week, and CSO Online 3
 Common attacks on web applications
BIG-IP ASM delivers comprehensive protection against critical web attacks

CSRF Cookie manipulation

OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws

© F5 Networks, Inc 4
 Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
•  Only protects against known Web   Done periodically; only as good
vulnerabilities Apps as the last test
•  Difficult to enforce; especially with   Only checks for known
sub-contracted code vulnerabilities
  Does it find everything?
•  Only periodic updated; large exposure
window

© F5 Networks, Inc 5
 How long it takes to resolve a vulnerability?

HTTP Response Spliting

Insufficient Authentication
Cross-Site Request Forgery
Session Fixation
Predicatble Resource Location
SQL Injection
Insufficient Authorization
Content Spoofing
Information Leakage
Cross-Site Scripting

0 20 40 60 80 100 120 140

Website Security Statistics Report
© F5 Networks, Inc 6
 Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
•  Only protects against known Web   Done periodically; only as good
vulnerabilities Apps as the last test
•  Difficult to enforce; especially with   Only checks for known
sub-contracted code vulnerabilities
  Does it find everything?
•  Only periodic updated; large exposure
Web
window
Application
Firewall

  Real-time 24 x 7 protection
  Enforces Best Practice Methodology
  Allows immediate protection against new
vulnerabilities
© F5 Networks, Inc 7
 Traditional Security Devices vs. WAF

Network
Firewall IPS WAF

Known Web Worms Limited ü ü

Limited
Unknown Web Worms X ü
Limited Partial
Known Web Vulnerabilities ü
Unknown Web Vulnerabilities X Limited
ü
Illegal Access to Web-server files Limited X ü
Forceful Browsing X X ü
File/Directory Enumerations X Limited ü
Buffer Overflow Limited Limited
ü
Cross-Site Scripting Limited Limited ü
SQL/OS Injection X Limited
ü
Cookie Poisoning X X ü
Hidden-Field Manipulation X X ü
Parameter Tampering X X ü
Layer 7 DoS Attacks X X ü
Brute Force Login Attacks X X ü
App. Security and Acceleration X X ü
© F5 Networks, Inc 8
Web Application Firewall
Negative vs. Positive Security Model

•  Negative Security Model

•  Lock Known Attacks
•  Everything else is Allowed
•  Patches implementation is quick and easy (Protection against Day Zero Attacks)

•  Positive Security Model

•  (Automatic) Analysis of Web Application
•  Allow wanted Transactions
•  Everything else is Denied
•  Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)

© F5 Networks, Inc 10
Full Proxy Security
 Full-proxy architecture
WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage

SSL renegotiation SSL iRule iRule SSL

SYN flood TCP iRule iRule TCP

ICMP flood

Network
Firewall

© F5 Networks, Inc 12
 F5 provides comprehensive application security

Virtual Network DDoS Web Application

Patching Protection Firewall
Network DNS DDoS
Access Protection

Application SSL DDoS Fraud

Access Protection Protection
Network Application
Firewall DDoS Protection

© F5 Networks, Inc 13
Encrypted Traffic Is Increasing Rapidly

80% 75%
70%
60%
50%
50%
40% 2016
30% 2019

20%
10%
0%
Encrypted Web Traffic

Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2016

77%
 Encryption is Not as Simple as ”On/Off”

SSL Server Test

•  Overall Rating
•  Certificate
•  Chain, CA
•  Protocols
•  Ciphers
•  Handshake
•  Protocol Configuration
•  Documentation
•  Recommendations
•  …

© F5 Networks, Inc 16
Application Security Manager
 BIG-IP® Application Security Manager™
•  Provides transparent protection from ever changing threats
•  Ensure application availability while under attack
•  Deployed as a full proxy or transparent full proxy (bridge mode) Server response
generated
•  Minimal impact on application performance
BIG-IP BIG-IP
ASM security
ASM security
•  Turn-on with license key or standalone policy checked
policy checked
•  Caching, compression and SSL acceleration included in standalone

Request made

Dynamic
Multi-Layered  Response
•  Drop, blockinspection
or forwardfor
Security errors and leakage of
request
•  sensitive information
Application attack filtering
Secure response Vulnerable
delivered & inspection application
BIG-IP ASM applies •  SSL , TCP, HTTP DoS
security policy mitigation
BIG-IP Local Traffic Manager
BIG-IP Application Security Manager

© F5 Networks, Inc 18
 BIG-IP Application Security Manager
BIG-IP ® ASM™ protects the applications your business relies on most and scales
to meet changing demands.
Comprehensive
protections
•  Protection web app vulnerabilities
including L7 DDoS
•  Advanced anti-BOT mitigation
•  Integrated XML firewall
© F5 Networks, Inc
Multiple deployment
options
•  Standalone or ADC add-on
•  Appliance or Virtual edition
•  Manual or automatic policy
building
•  3rd party DAST integration
Visibility and
analysis
•  Visibility and analysis
•  High speed customizable syslog
•  Granular attack details
•  Expert attack tracking
and profiling
•  Policy & compliance reporting
•  Integrates with SIEM software
•  Full HTTP/S request logging
19
Building The Security Policy
 Required Security Level

Tighter OBJECT FLOWS

Security
Posture
PARAMETER VALUES

PARAMETER NAMES
Typical ‘standard’
starting point
OBJECT NAMES

OBJECT TYPES

© F5 Networks, Inc 21
 Different ways to build a policy

Security policy
checked

Security policy
applied

DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES

Automatic Manual •  Virtual patching with •  Out-of-the-box

•  No knowledge of the •  Advanced continuous application •  Pre-configure and validated
app required configuration for scanning •  For mission-critical apps
•  Adjusts policies if custom policies including: Microsoft, Oracle,
app changes PeopleSoft

© F5 Networks, Inc 22
 Identify, virtually patch, mitigate vulnerabilities

Scan application with a Import vulnerabilities Mitigate web app attacks

web application into BIG-IP ASM
security scanner:
Hacker

•  Generic
Scanner
•  Qualys
•  IBM
•  WhiteHat
•  Cenzic
Clients
•  HP WI

© F5 Networks, Inc 23
 NSS Labs

© F5 Networks, Inc 24
ASM Comprehensive Protection
 Application attacks are inevitable
Prepare for application attacks
75% of internet threats target web every 23 minutes
servers (2015 Cisco Annual Security Report)

86% of websites has at least 1

vulnerability and an average of 56 per
website WhiteHat Security Statistics Report 2013

95% of breaches through 2018 will

be caused by misconfigured firewalls
not vulnerabilities (Gartner )

2.3M Bots actively attacking in 2014

Symantec Internet Security Report 2014

© F5 Networks, Inc 26
 Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities

L7 DDOS

XML Firewall Web Scraping

ASM
Geolocation Web bot
blocking identification

XML filtering,
ICAP anti-virus
validation &
Integration
mitigation

© F5 Networks, Inc 27
 Different attack/issue types

Application

SSL

DNS

Network

© F5 Networks, Inc 28
 DoS is Not a Rocket Science!

© F5 Networks, Inc 29
BotNet Protection
 Delivering the most accurate anti-bot, scanner & scraper
protection
•  Validate user on initial site access with proactive bot defense
•  Differentiate between script and browser
•  Inspect user interaction with browser & finger print devices
•  Distinguish real-user from bot with client integrity checks and captcha challenge
•  Mitigate automated attacks, scanners, botnets and intellectual property scrapers
•  Detect a persistent scraper that uses multiple IP addresses or a single request session

ASM Website
Web Bot

Application 
Security
User

© F5 Networks, Inc 31
 ASM Bot Protection
Defending against automated attacks
ALERT &
BLOCK Client check •  Performs a variety of
BOT identified
checks to distinguish
\ /
ASM Website humans from BOTS
Web Bot
•  Allows only verified
client requests to
pass through to app
Application  server
Security
•  Notifies then drops
ASM identifies and blocks automated web scraping and scanning
requests that cannot
•  Performs rapid surfing analysis of page changes be verified
•  Blocks clients making excessive page requests
•  Issues captcha challenge on mitigated threats & initial visits
•  Detects previously identified browsers & bad IPs
•  Disallow web scraping , table captures, & UA Spoofing ext.
© F5 Networks, Inc 32
 ASM Bot Protection
ASM’s unique Proactive Bot defense
Stop automated attacks from ever materializing

•  Enables always-on protection that preempts

attacks
•  Complements existing reactive protections
•  Utilizes advances detection methods and
techniques CAPTCHA challenges & Web
Application
geolocation enforcement
•  Categorize BOTs detected by signature
classification to distinguishes good Bots
from malicious offenders
•  Detect headless browsers that run JS Defend against automated non-human web scraping, DDoS
and Brute force attacks
© F5 Networks, Inc 33
 Signature-based bot categorization/classification
Helps identify and protect against L7 anomaly-based attacks

•  Leverages ASM attack signatures in

conjunction with ASM bot techniques The value delivered
Gain visibility to Bot-generated traffic
•  Applied to DOS and ASM policies with
support for custom bots signatures and Reduce server strain caused by bots
custom categories
•  Updates like the ASM attack signatures Block vulnerability scanners, rendering them
blind
Reporting
Block BotNets during DoS attacks
•  Visible in DoS charts & custom widgets
Web
Application
•  New Bot drilldown screen per category or per
individual bot

© F5 Networks, Inc 34
 ASM Bot Protection
ASM Proactive Bot defense: How it Works
•  ASM injects a JS challenge with obfuscated
cookie

•  Legitimate browsers resend the request with

cookie -  ASM verifies
response
Valid requests are
passed to the
authenticity server
-  Cookie is signed,
•  ASM checks and validates the cookie Valid browser requests time stamped Web
bypass challenge w/ and finger printed Application
future requests
•  Requests with valid signed cookie are then
passed through to the server
•  Invalidated requests are dropped or Internet ASM responds with
terminated Browser 1st time request
injected JS challenge.
Request is not passed
responds to to web server
to server
challenge &
•  Cookie expiration and client IP address are resends request
enforced – no replay attacks JS challenge placed
in browser

•  Prevented attacks will be reported and logged

w/o detected attack No challenge
Continuous invalid bot Legitimate browser
response from
attempts are bots
blocked
BOTS ARE
DROPPED
verification
© F5 Networks, Inc 35
 ASM Bot Protection
# EXAMPLE 1: Bypassing enforcement on URL pattern

iRules enhanced Bot protection when BOTDEFENSE_ACTION {

if {[HTTP::uri] starts_with "/t/"} {
log local0. "bypassing enforcement for URI [HTTP::uri]"
Delivers increased granularity to the bot detection process set res [BOTDEFENSE::action allow]
log local0. "set action to allow, result \"$res\""
log local0. "resulting action [BOTDEFENSE::action]
reason \"[BOTDEFENSE::reason]\""
}

•  iRules commands enable customized }

action on bots detected

# EXAMPLE 2: Instead of blocking the request with TCP RST,
respond with a
# blocking-page
when BOTDEFENSE_ACTION {

•  Launches against Proactive Bot Defense if {[BOTDEFENSE::action] eq "tcp_rst"} {

# if the custom_response action fails, the tcp_rst

DoS events action will remain,

# so we don't need to check the return string
in this case
BOTDEFENSE::action custom_response "sorry\ni am
•  Provides the control needed to ensure blocking you\n"
}

accuracy of threat detection }

# EXAMPLE 3: Force the browser_challenge to be sent to the
•  Use it to … client on the login
# page, even if the cookie is valid (may be used to force the
o  retrieve the data processed by Bot Defense mechanism, renewal of the
# Bot Defense cookie)
when BOTDEFENSE_ACTION {
o  query and override URL qualification, if { ([HTTP::uri] eq "/t/login.php") &&
([BOTDEFENSE::action] eq "allow") &&
o  force logging and challenges, (not ([BOTDEFENSE::reason] starts_with "passed
browser challenge"))} {
o  Customize an HTML redirect BOTDEFENSE::action browser_challenge
}
}

© F5 Networks, Inc 36
 Browser finger printing and device ID
Accurately track good and bad actors wherever they go

•  Uniquely protects against session hijacking by

matching cookies with device ID
•  Captures unique device characteristics for bots, DoS
attacks, headless browsers and human users.
•  Identifies repeat visitors learning their traffic
patterns, even in the case users switched sessions
or source IP’s.
•  Applies to brute force, volumetric DDoS, session
hijacking protections and proactive bot defense
•  Thwart tracking evasion attempts by bots and
scrapers

© F5 Networks, Inc 37
 Browser finger printing and device ID
More accurately prevents webscraping
How it works
• Runs client-side code that collects
various attributes about the client.
• Attributes are summed up to a hash
which we call a fingerprint.
• A cache of those fingerprints is stored
on BIG-IP, and used to persistently
identify clients when preventing from
Web Scraping.
•  Activates DeviceID tracking from a check box
when proactive defense is not used

•  Clients with JS disabled will be blocked

© F5 Networks, Inc 38
Reporting
 ASM Request List Events Log
•  View the full request itself, the violation
rating and any associated violations 
•  Immediately discern request status (i.e.,
legal or illegal, blocked, truncated, or has a response)
•  Drill down to view detailed descriptions of
the violations and potential attacks. 
•  Accept trusted violations

Violation ratings highlighting priority violations

•  Quickly identify events requiring immediate
attention
•  Easily distinguish false positives and negatives
•  Enables the novice users to understand the severity
of an event
•  Alleviate cycles spent on F/P and F/N

© F5 Networks, Inc 40
 Consolidated view of attacks and mitigation
Statistics concerning attack types, violations, and anomalies, traffic summaries
•  See real time summary of
Security Overview
active policies & attacks
Screen •  Understand ASM Health
and network/traffic stats
•  View data by different
criteria in graphical
reports.
•  Get top 10 entity reports

TOP 10
ENTITIES

Drill down and filter all AVR

HTTP entities
© F5 Networks, Inc 41
 ASM resource consumption reporting
Ensures application security when ASM resources are burdened

•  Predictive information communicated includes:

•  pending requests
•  CPU utilization – updated every 1 minute
•  memory utilization – updated every 5 minutes
•  ASM bypass information – updated every 5 minutes
•  The plug-in queue utilization

•  User can set specific alert types and threshold values

for events

•  Leverages REST API publishing framework in AVR

•  Requires cloud orchestration to trigger action in

external security service (BIG_IQ)
ASM health
statistics &
charts
New in BIG-IP 12.0
© F5 Networks, Inc 42
Maintaining PCI Compliance
Quickly discern your state
of compliance
•  Shows each security
measure and policy
required for PCI-DSS
compliance 3.0
•  Create printable
versions of PCI
compliance reports for
each web application
•  Provides guidance to
bring flagged items
into compliance
•  Click quick links to
adjust the non-
compliant settings.

© F5 Networks, Inc 43
Telecom Operator: LB, SSL offload, TV portal protection
Data Center

Advanced LB
STB storm protection
SSL offload
Web Application FW Streaming Servers
Users

BIG-IP

Portal, EPG, …

Solution highlights
•  Advanced load-balancing and session stickiness
•  iRules for prevention of STB traffic storms (rate
limiting) and SSL vulnerabilities Operator’s Benefits
•  SSL offload for application and control plane data •  Better user experience due to TCP optimisation
(network latency, throughput increase)
•  Web application FW (ASM) for Live TV application
•  A solution for prevention of STB authentication storms
protection including brute force login page
protection (against password guessing) – block •  Protection of TV portal against attacks
access to login page after x failed attempts for •  Consolidated solution load-balancing + Web application
configured period of time, etc. FW on single platform

© F5 Networks, Inc 45
Financial organisation protected by F5 ASM & AFM
Leveraged Compliance & Consolidation

Drivers: Why we won:

•  Cisco Replacement •  Early engagement to the process

•  Regulation demand for application security •  Differentiate between IPS & WAF
•  Regulation demand for dual FW vendors •  Consolidate solution – LB/WAF/FW on same unit
•  CAPEX / OPEX trade off from consolidation
•  Presentation, demo and prove of the solution
Competition: •  Excellent customer relationship with local account team
•  IPS technology •  Strong partner collaboration
•  FW vendors
•  WAF Vendors Additional benefit to F5:
•  Future potential for Anti-Fraud solutions
•  Professional services implementation

© F5 Networks, Inc 46