Академический Документы
Профессиональный Документы
Культура Документы
The purpose of this demo is to show how to an ASM security policy can protect a web application from
malicious cookie modification. You’ll first show how to modify a cookie value using Burp, and then show the
results in the ASM event log. You’ll then enforce the cookie entities and attempt the cookie modification again,
this time getting blocked.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Preparing the Demo Environment
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
→NOTE: This exercise uses a macro that is already created on the Windows_7_External_v8
image. You should download that image before running this demo.
Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
Select the Advanced options.
Use the following information for the new policy, and then click Create Policy.
Policy Name cookies_security_policy
Policy Template Comprehensive
Virtual Server dvwa_virtual
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Click Add)
WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 3
Part 1 – Preparing the Demo Environment
Task 2 – Use iMacros for Firefox to Generate Traffic for Building a Security
Policy
Use iMacros for Firefox to run a macro that will generate valid user traffic for building a security policy.
Click the iMacros button, and in the iMacros pane select cookies build.iim, and then click Play (Loop).
WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 4
Part 2 – Delivering the Demo to a Customer
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
Open Burp Suite (if prompted, don’t update Burp Suite).
Click Next, and then click Start Burp.
Select the Proxy tab.
Note that intercept is on.
WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 5
Part 2 – Delivering the Demo to a Customer
In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
Open the virtual server Security > Policies page.
This web application is already configured with an ASM security policy named
cookies_security_policy. I created this security policy before beginning the demo.
In Firefox, click the DVWA bookmark, and then log in as gordonb / abc123.
In Burp Suite click Intercept is off (the button should now read Intercept is on).
In the DVWA page click Instructions, and then view the Burp Suite window.
You can now view and modify the request in Burp Suite before sending it to the web server.
Change the security=low entry to security=hack.
We can see the cookie that was modified and the value that it was modified to. Although this security
policy is in blocking mode, modifying cookies isn’t currently being blocked.
WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 6
Part 2 – Delivering the Demo to a Customer
Open the Application Security > Headers > Cookies List page.
Notice the two cookies are still in staging. While they are in staging they are not enforced, meaning
that violations against them will not be blocked.
Select the JSESSIONID and security checkboxes, and then click Enforce and then OK.
Click Apply Policy and then OK.
In Burp Suite click Intercept is on (the button should now read Intercept is off).
In the DVWA page click Home.
In Burp Suite click Intercept is off (the button should now read Intercept is on).
In the DVWA page click Setup, and then view the Burp Suite window.
Change both the JSESSIONID and security cookie values as follows:
Click Forward.
The page is now blocked.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Select the/setup.php log entry, and click Modified domain cookie(s).
Cookie modification is now blocked for these two cookies.
That concludes this demonstration on protecting against cookies modification with BIG-IP ASM.
WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 7