4.3. Create Base WAF Child Policy

Task 1 - Simulate attacks to demonstrate common web app vulnerabilities.

  1. Open browser on jump server and go to https://<Elastic IP>

  2. Enter %' or 1='1 in Search field and press Enter

    Note

    This is a common sql injection attack and although this did not return anything exciting the search request was accepted and processed with response.

  3. Enter <script>alert("Your system is infected! Call 999-888-7777 for help.")</script> in Search field and press Enter

    Note

    This is a common Cross-site scripting (XSS) attack and although this did not return anything exciting the search request was accepted and processed with response.

Task 2 - Create new waf policy to mitigate the vulnerabilities using info on table below:

Policy Name waf_baseOnly
Policy Type Security
Parent Policy waf_base
Virtual Server hackazon_vs
Enforcement Mode Blocking

  1. Select the Security->Application Security->Security Policies->Policies List page

  2. Click Create New Policy

  3. Select Advanced options

  4. Enter waf_baseOnly for Policy Name

  5. Select Security for Policy Type

  6. Enter waf_base for Parent Policy

  7. Select hackazon_vs for Virtual Server

  8. Change Enforcement Mode to Blocking

    ../../_images/image311.png

  9. Click Create Policy

    ../../_images/image312.png

    Note

    This creates a child security policy which inherits the settings from the waf_base Parent Policy. The parent policy settings was created using Rapid Deployment Template which includes several common security measures and thousands of attack signatures. Signature Staging is Disabled for this lab demo but most likely will be enabled for production environments.

Task 3 - Test WAF policy.

  1. Select the Virtual Servers->Virtual Servers List page

  2. Click the hackazon_vs to display virtual server properties

  3. Click the Security->Policies tab to display Policy Settings

  4. Ensure waf_log profile is selected in the Log Profile

  5. Select update

    ../../_images/image313.png

  6. Open browser on jump server and go to https://<Elastic IP>

  7. Enter %' or 1='1 in Search field and press Enter. You should receive a block message similar to below. Take note of the Support ID number.

    ../../_images/image314.png

  8. Return to hackazon main page

  9. Enter <script>alert("Your system is infected! Call 999-888-7777 for help.")</script> in Search field and press Enter. You should see a similar block message. Take note of the Support ID number.

Task 4 - Review WAF event logs on BIG-IP GUI.

  1. Select the Security->Event Logs->Application->Requests page

  2. Select the Event with the matching Support ID noted on the block pages

    ../../_images/image315.png

    Note

    You can view the “Decoded Requests” and the “Original Request” however the Response is not captured by default.

  3. Select Attack Signatures Detected to view details of the request that triggered the violation.

    ../../_images/image316.png
Previous Next