Ravello Demo - ASM - Applying Global File Type Settings - V13.0.a

F5 Customer Demo
ASM – Applying and Enforcing Global Settings

for File Types
Document version 13.0.A
Written for: TMOS® Architecture v13.0
Estimated Completion Time: 15 minutes
The purpose of this demo is to show how you can control attributes for file types at the global level (without
needing to learn specific file types). You’ll start by creating a security policy for the DVWA web application using
Rapid Deployment. You’ll then modify the query string length and HTTP request length values for the wildcard
(*) file type. You’ll then make requests for different file types that violate the global length values, and then
examine the ASM event log to view why the requests were blocked.
F5 Worldwide Field Enablement Last Updated: 1/25/2018

Learn More, Sell More, Sell Faster
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
ASM Demo – Applying and Enforcing Global Settings for File Types
BEFORE THE DEMO – Access the Ravello Environment

Access the Ravello environment for the WWFE – ASM – v13.0 blueprint.
 Access https://ravellosystems.com and log in using the a492818 identity domain.

 Go to Library > Blueprints and search for WWFE - ASM.
 Select the most recent WWFE - ASM - v13 blueprint.
 Click Create Application.
 Append your name to the end of the application Name, and then click Create.
 Click Publish.
 Select the Performance tab, then select the best Location, select how long to run the application, and
then click Publish.
 Once the application is published, copy the IP address of the Windows 7 External VM, and then use RDP
to access the IP address.
 Log into the Windows workstation as external_user / P@ssw0rd!
 If necessary, update the Windows time:
o Select the clock and click Change date and time settings…
o Select the Internet Time tab, and then click Change settings…
o Using time.windows.com click Update now, and then click OK twice.
 Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system.
 Open Burp Suite (if prompted, don’t update Burp Suite).
 Click Next, and then click Start Burp.
 Select the Proxy tab.
Note that intercept is on.
 Click Intercept is on (the button should now read Intercept is off).

 Open Firefox, and then click the Firefox options button and select Options.
 Click Advanced, and then click Network.

WWFE Ravello Guides – Demo: ASM – Applying Global Settings for File Types; v13.0.A Page | 3
 For Connection click Settings.
 Select the Manual proxy configuration option, and then click OK, and then close Firefox.
Demo Task 1 – Create a Security Policy using Rapid Deployment

Create a security policy for dvwa_virtual using the Rapid Deployment security policy.
 In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
 Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
 Select the Advanced options.
 Use the following information for the new policy, and then click Create Policy.
Policy Name global_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Enforcement Mode Blocking
Signature Staging Disabled
That’s all it takes to create a basic security policy with ASM. Using Rapid Deployment includes several
common security measures and thousands of attack signatures
Demo Task 2 – Modify Global File Type Attributes

Modify the attributes of all file types by making changes to the wildcard (*) entity, and then access the DVWA
web application and make requests for several different file types that violate the security policy length limits
 Once the policy is created, open the Application Security > File Types > Allowed File Types page.
This security policy is not configured to enforce specific file types. The asterisk (*) identifies that all
file types are allowed. We’re going to modify a couple of attributes that all file types must adhere to.
 Click the asterisk (*).
 Modify the length attributes as follows:
URL Length 1000 bytes
Request Length 4000 bytes
Query String Length 1200 bytes
POST Data Length 4000 bytes
Notice that the Perform Staging checkbox is not enabled. That ensures that ASM will enforce these
length values for all file types.
 Click Update.
We can now see the global custom length settings for all file types.
 Open the Application Security > Policy Building > Learning and Blocking Settings page.
 Expand File Types.
 For all five File Types violations, select the Alarm and Block checkboxes.
This ensures that ASM will block requests that violate the length values we configured previously.
 Click Save, then click Apply Policy and then OK.
 Open an InPrivate Browsing window (IE) and click the DVWA bookmark, then log in
as gordonb / abc123.
 Copy and paste the following query string into the URL field, and then press Enter.
http://10.1.10.35/index.php?A=alksdjfslfjsdlfjsdlfjk&B=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkj&C=askdfslkdfjsdkfjsdlkfjsdkfwiefiskfjis&D=skladfs
kvjisadfieieakfdkjdsfkdsdsjf&E=vakjeiaskjfsiefsfsafivsidfisaef&F=8324v8fs8v8dsv8dsfs8vsdvisda3r25&G=8kvw8ey5r438nfdfvu34rpoindv8re8we88f&H=232s
dofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&I=alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkj&K=askdfslkdfjsdkfjsdlkfjsdkfwie
fiskfjis&L=skladfskvjisadfieieakfdkjdsfkdsdsjf&M=vakjeiaskjfsiefsfsafivsidfisaef&n=8324v8fs8v8dsv8dsfs8vsdvisda3r25&N=8kvw8ey5r438nfdfvu34rpoin
dv8re8we88f&O=232sdofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&P=qwertyuiopasdfghjjklzxcvbnm0987654321232sdofdjswef82weoifjwoifjw323wewefwelif
w38ijfwie&q=qwertyuiopasdfghjjklzxcvbnm0987654321232sdofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&Q=qwertyuiopasdfghjjklzxcvbnm0987654321&P=as
kdfslkdfjsdkfjsdlkfjsdkfwiefiskfjis8324v8fs8v8dsv8dsfs8vsdvisda3r25alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkjaskdfslkdfjsd
kfjsdlkfjsdkfwiefiskfjis8324v8fs8v8dsv8dsfs8vsdvisda3r25alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkjaslkdfsalkfjsadwkljweifa
kdjfaslkdfslmvksdkfiesksdfsdiksdfjsi&R=wieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejs
aiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepeww
effwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewwesajfie83292sddra8pfwuwieslfjsifsifjsiefjsdlfissijif
The request for index.php with the extremely long query string length is blocked by ASM.
 Click the DVWA bookmark.
 At the bottom of the page, click the user policy link.
 Copy and paste the following query string into the URL field, then press Enter, and then close the page.
http://10.1.10.35/userpolicy.html?A=alksdjfslfjsdlfjsdlfjk&B=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkj&C=askdfslkdfjsdkfjsdlkfjsdkfwiefiskfjis&D=s
kladfskvjisadfieieakfdkjdsfkdsdsjf&E=vakjeiaskjfsiefsfsafivsidfisaef&F=8324v8fs8v8dsv8dsfs8vsdvisda3r25&G=8kvw8ey5r438nfdfvu34rpoindv8re8we88f&
H=232sdofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&I=alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkj&K=askdfslkdfjsdkfjsdlkfjs
dkfwiefiskfjis&L=skladfskvjisadfieieakfdkjdsfkdsdsjf&M=vakjeiaskjfsiefsfsafivsidfisaef&n=8324v8fs8v8dsv8dsfs8vsdvisda3r25&N=8kvw8ey5r438nfdfvu3
4rpoindv8re8we88f&O=232sdofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&P=qwertyuiopasdfghjjklzxcvbnm0987654321232sdofdjswef82weoifjwoifjw323wewe
fwelifw38ijfwie&q=qwertyuiopasdfghjjklzxcvbnm0987654321232sdofdjswef82weoifjwoifjw323wewefwelifw38ijfwie&Q=qwertyuiopasdfghjjklzxcvbnm098765432
1&P=askdfslkdfjsdkfjsdlkfjsdkfwiefiskfjis8324v8fs8v8dsv8dsfs8vsdvisda3r25alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkjaskdfsl
kdfjsdkfjsdlkfjsdkfwiefiskfjis8324v8fs8v8dsv8dsfs8vsdvisda3r25alksdjfslfjsdlfjsdlfjk&J=lsakdfjskfjsdlfjsflkjdsflkjsdslkfjsfkjaslkdfsalkfjsadwkl
jweifakdjfaslkdfslmvksdkfiesksdfsdiksdfjsi&R=wieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeia
sifejsaiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfw
uepewweffwepfwuwieslfjsifsifjsiefjsdlfissijifjeiasifejsaiesaehfwuepewwesajfie83292sddra8sdfsdafeafasdfasfdskdfj&z=asdkjflsjaiefjskdfjsifdsjfksd
fjsdijskddkvlifdsjifsjdlfseilsdifsjdifjs;flsisdfcvxjxzivjsdisdisdifsdfdsifslfsifj3292sddra8sd
This request for userpolicy.html with the extremely long query string length is also blocked by ASM.
 Use Firefox to open a New private window, then click the DVWA bookmark, and then log in
 In Burp Suite click Intercept is off (the button should now read Intercept is on).
 On the DVWA page click SQL Injection, and then view the Burp Suite window.
You can now view and modify the request in Burp Suite before sending it to the web server.
 Copy and paste the following in the Burp Suite window, and then click Forward.
GET /vulnerabilities/sqli/ HTTP/1.1
Host: 10.1.10.35
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.1.10.35/
Fake-Header-1: askfjiwefsdkfsdlifidfsdivjvixicvjsike kefsdijsdisdjfsdkfelkfmefdifdsifjsf sidfsdifsjdkfjsdif isdfsdifdsd
dsfsdif isdfaieef3wfaa3wjscje8w f8e89eojfaeafjcfwe98faewifcj sd8f88ejse0afc9s d7e4ef362e28c7 1c87d2df4124d76130b
68bb5f7f6fde507c1ee3e b0eb51e9a59924594
68bb5f7f6fde507c1ee3e b0eb51e9a59924594 askfjiwefsdkfsdlifidfsdivjvixicvjsike kefsdijsdisdjfsdkfelkfmefdifdsifjsf
sidfsdifsjdkfjsdif isdfsdifdsd dsfsdif isdfaieef3wfaa3wjscje8w f8e89eojfaeafjcfwe98faewifcj sd8f88ejse0afc9s
d7e4ef362e28c7 1c87d2df4124d76130b 68bb5f7f6fde507c1ee3e b0eb51e9a59924594
68bb5f7f6fde507c1ee3e b0eb51e9a59924594askfjiwefsdkfsdlifidfsdivjvixicvjsike kefsdijsdisdjfsdkfelkfmefdifdsifjsf
Cookie: JSESSIONID=ndn70dkc72nnm7n2savo1l55s1; security=low;
TS01c8c91c=0139d7e4ef362e28c71c87d2df4124d76130b68bb5f7f6fde507c1ee3eb0eb51e9a5992459433dbea41cacbead3b67e958342a68a432
817a233c68ea7bb1afa693367fdb22d449bb3507836a3d1c84cc9930451e42;
TS01c8c91c_26=019ea619676dc381ebaa66bf82047d48bb4068e73208d94e147539ac42ea07f306ea5c1176c4b0a281cc454cdd79e2e09f267a7c1
3d60ce97e1343526a17207c0d5e71b595
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
 View the result in the DVWA page.

The request for /vulnerabilities/sqli/ with the extremely large HTTP request length was blocked
by ASM.
 Close Burp Suite.
 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
There are three blocked log entries.

 Select the /index.php log entry.
This request was blocked because it had an illegal query string length.
 Click Illegal query string length.
We configured the wildcard entity with a query string length of 1200 characters, and this request for
the php file type was for 1518 characters which violated the security policy.
 Select the /userpolicy.html log entry, and then click Illegal query string length.
This request for the html file type was for 1632 characters which violated the security policy.
 Select the /vulnerabilities/sqli/ log entry.
This request was blocked because it had an illegal HTTP request length.
 Click Illegal request length.
We configured the wildcard entity with an HTTP request length of 4000 characters, and this request
for the no_ext (no extension) file type was for 4253 characters which violated the security policy.
 Open an InPrivate Browsing window (IE) and click the DVWA bookmark, then log in
 Edit the URL to http://10.1.10.35/php.ini.
This is an Apache web server configuration file which users shouldn’t be accessing. However, we are
not enforcing specific allowed file types for this security policy.
 In the Configuration Utility, open the Application Security > File Types > Disallowed File Types page and
click Create.
 Enter ini, then click Create, and then click Apply Policy and then OK.
 In the DVWA page, reload the page, and then close the blocked page.
 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Select the [HTTP]/php.ini log entry.
This request was blocked for several reasons, including being for an illegal file type.
 Click Illegal file type.
We can see that the request was for an ini file type, which is on the disallowed file type list.
That concludes this demonstration on applying and enforcing global settings for file types.

Ravello Demo - ASM - Applying Global File Type Settings - V13.0.a

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ravello Demo - ASM - Applying Global File Type Settings - V13.0.a

Hochgeladen von

Copyright:

Verfügbare Formate

F5 Customer Demo

ASM – Applying and Enforcing Global Settings

Estimated Completion Time: 15 minutes

F5 Worldwide Field Enablement Last Updated: 1/25/2018

BEFORE THE DEMO – Access the Ravello Environment

 Access https://ravellosystems.com and log in using the a492818 identity domain.

 Click Intercept is on (the button should now read Intercept is off).

 Click Advanced, and then click Network.

Demo Task 1 – Create a Security Policy using Rapid Deployment

Demo Task 2 – Modify Global File Type Attributes

 View the result in the DVWA page.

There are three blocked log entries.

Das könnte Ihnen auch gefallen