Академический Документы
Профессиональный Документы
Культура Документы
auction_pool
Health Monitors
http
Members
172.16.20.150:80
auction_vs
Destination Address
10.10.20.110
Service Port
443
HTTP Profile
http
clientssl
SNAT Pool
Auto Map
Default Pool
auction_pool
7. Click Go.
8. Click the Your control panel link in the Logged in section on the right-side of the page. (NOT the link
on the top menu bar.)
Questions:
a) Are you able to view your personal information? _________________
b) Was your credit card number sent in HTML plain text? _________________
Question:
c) Are you able to view another users personal information? _________________
10. Edit the end of the URI to read: ?nick=*.
Questions:
d) What information were you presented with? _____________________________
__________________________________________________________________
e) What type of Web site vulnerability is this? ______________________________
11. Click Logout, and then log back in as the username you submitted in step 3.
12. Select the Sell an item link.
13. Sell an item using the following information:
Item title
Item description
Bad item
<script>
alert ("Dont use this site - go to
http://mysite.com");
</script>
$10
Country
Zip Code
98119
Payment methods
MasterCard or Visa
Choose a category
22. Click Logout, and then close the auction Web site browser window.
5. Access the Application Security > Security Policies > Policies List > Active Policies page.
ASM notifies that the security policy application language is not defined.
2. Click Finished.
F5 Virtual Environment Hands-On Exercise Guide Exercise 2 Updating and Applying a Security Policy
5. Click Next.
6. On the Configure Security Policy Properties page, in the Application Language list box, select
Unicode (utf-8).
7. In the Application-Ready Security Policy list box, select Rapid Deployment security policy.
8. Click Next.
9. On the Configure Attack Signatures page, from the Available Systems list box, move to following to
the Assigned Systems list box.
o
F5 Virtual Environment Hands-On Exercise Guide Exercise 2 Updating and Applying a Security Policy
10. Leave Signature Staging enabled and click Next.
F5 Virtual Environment Hands-On Exercise Guide Exercise 2 Updating and Applying a Security Policy
5. In the User login section, login using the username and password you created in Exercise 5A, task 2,
step 3.
6. Select the Edit data link in the Logged in section on the right-side of the page.
Questions:
a) What value is in the Address field? ________________________
b) Why is this value displaying? ________________________________________________
7. Go to the home page, and then buy the Canon Digital Camera.
8. Click Logout.
9. Edit the URL to https://10.10.20.110/comment.txt.
F5 Virtual Environment Hands-On Exercise Guide Exercise 2 Updating and Applying a Security Policy
e) Why arent requests for .txt pages being blocked through ASM? _____________
_________________________________________________________________
13. Select the buy2.php link.
14. Select Data Guard: Information leakage detected.
Question:
f) What caused this illegal entry? ___________________________________
15. Close the View Full Request Information window.
16. Select the edit_data.php link.
17. Select Data Guard: Information leakage detected.
Question:
g) What caused this illegal entry? ___________________________________
18. Close the View Full Request Information window.
19. Select all of the items in the Requests List, and then click Clear All.
20. Create an archive file named archive_After_5B.
There are no learned entries other than the Data Guard information leakage detected entries.
3. Edit the secure_profile security policy.
4. Select the Blocking > Settings page.
5. In the Access Violations section, in the Illegal file type row, note that the Block check box is currently
grayed out.
Question:
a) Why cant you enable the Block option? ________________________________
_________________________________________________________________
6. Place the policy in Blocking mode.
7. In the Illegal file type row, select the Learn, Alarm, and Block check boxes.
Question:
b) Why were these options already set? __________________________________
_________________________________________________________________
9. Click Save.
10. Place the policy back in Transparent mode.
Notice that the Block option for Illegal file types is once again grayed out; however the check box
remains selected.
4. Click Update.
$10
Country
Zip Code
98119
Payment methods
MasterCard or Visa
Choose a category
The security policy has been updated to allow requests for gif, jpg, and .php file types, in addition to
requests with no extension.
13. In the Allowed File Types List section, select the * check box, and then click Delete.
14. Select the gif, jpg, no_ext, and php checkboxes, and then click Enforce.
This removes these entries from staging.
15. Apply the updated policy.
16. Open a new Web browser window and access https://10.10.20.110.
17. Select links to navigate through the auction Web site.
18. Edit the URL to https://10.10.20.110/comment.txt.
Questions:
e) Were you able to access the comment.txt page? _________________________
f)
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
9. Click Next.
10. From the Policy Type list, select Comprehensive.
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
11. Slide the Policy Builder learning speed control to Fast.
Note that this changes the chances to adding false positives to the policy to High.
12. From the Trusted IP Addresses list, select Address List.
13. In the IP Address box, enter 10.10.20.1.
14. In the Netmask box, enter 255.255.255.255, and then click Add.
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
6. Edit the end of the URI to read: ?nick=*.
7. Click Logout.
8. In the User login section, in the Username field type:
' or 1=1#
9. Click Go.
Edit the URL to https://10.10.20.110/comment.txt.
11. Close the Web browser.
Question:
a) Why are you now able to access txt file types? _______________________
_____________________________________________________________
b) Is Data Guard currently enabled? _________________
The policy builder begins to analyze the traffic.
After several seconds, the policy builder begins learning file types, URLs, parameters, and cookies.
12. In the Detail section, select File Types > Staging.
13. For the gif, jpg, no_ext, and php entries, click the corresponding Enforce button.
14. Select Parameters > Staging.
Multiple parameters are currently in staging.
15. Access the Application Security > Policy Building > Automatic > Log page.
The log includes an entry for each event or action that the Policy Builder makes to the policy.
16. Access the Application Security > Policy Building >Automatic > Configuration page.
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
17. Disable the Real Traffic Policy Builder.
18. Click Save, and then apply the updated policy.
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
5. Click the Back button.
6. Select the Sell an item link.
7. Sell an item using the following information:
Item title
Item description
$10
Country
Zip Code
98119
Payment methods
MasterCard or Visa
F5 Virtual Environment Hands-On Exercise Guide Exercise 4 Using Automatic Policy Building
18. Open a new Web browser window and access https://10.10.20.110.
19. In the User login section, login using the username and password you created in Exercise 5A, task 2,
step 3.
20. Click the Your control panel link in the Logged in section.
Questions:
f) What response did you receive? _______________________________________
g) Why did you receive this response? ______________________________________
____________________________________________________________________
21. Close the Web browser.
22. Adjust the blocking settings so that data is indeed scrubbed, but that the page itself isnt blocked.
23. Apply the policy and test again.
24. Once the page displays with credit cards and social security numbers being scrubbed, create an
archive file named archive_After_5D.
F5 Virtual Environment Hands-On Exercise Guide Exercise 5 Protecting Against Web Scraping
TASK 1 Use iMacros to Record and Play a Lengthy Visit to the Auction Web Site
Use iMacros for Firefox to record and play back a series of requests to the auction Web site.
1. Open Mozilla Firefox and access https://10.10.20.110.
2. In the iMacros pane, select the Rec tab, and then click Record.
3. Select links to navigate through the auction Web site (be sure to record a lengthy visit to the Web
site, at least 20 clicks, however dont log in or purchase an item).
4. Click Stop.
5. Save the iMacro as webscraping_example.
6. In the iMacros pane, select the Play tab.
7. Select webscraping_example.iim.
8. In the Max box, type 10, and then click Play (Loop).
Question:
a) Is ASM protecting against potential Web scraping attacks? ________________
5 requests
Unsafe Interval
10 requests
Safe Interval
20 requests
6. Click Save.
F5 Virtual Environment Hands-On Exercise Guide Exercise 5 Protecting Against Web Scraping
7. Verify that the blocking settings for the policy_builder_profile policy for Web scraping detected
include Learn and, Alarm.
8. Click Save, and then apply the updated policy.
9. Use Firefox to play the webscraping_example.iim macro 10 times.
10. In the BIG-IP configuration utility, access the Traffic Learning page.
11. Select the Web scraping detected link.