4.4. Create Credentials Protection WAF Child Policy

Task 1 - Simulate credential attacks.

  1. Open browser on jump server and go to https://<Elastic IP>/user/login

  2. Enter bigmac for Username

  3. Enter random password for Password. Repeat 5 consecutive times using different password to simulate brute force attack

    Note

    This is a common brute force attack. In this case the application allowed repeated attempts without lockout. Some applications will send “account locked” for a period of time, however user can continue to repeated attempts to elongate lockout period.

  4. Open new incognito browser on jump server and open developer tools. (View->Developer-Developer Tools)

  5. Browse to https://<Elastic IP>/user/login and login as bigmac

  6. Once successfully logged in, review log on Developer Tool. Highlight login?return_url= and on right panel scroll to bottom of Form Data to view Username and Password.

    ../../_images/image340.png

Task 2 - Create new waf policy to mitigate the vulnerabilities using info on table below:

Policy Name waf_baseCredentials
Policy Type Security
Parent Policy waf_base
Virtual Server none
Enforcement Mode Blocking

  1. Select the Security->Application Security->Security Policies->Policies List page

  2. Click Create Policy

    ../../_images/image341.png

Task 3 - Configure Brute Force Protection

  1. Select Security->Application Security->Sessions and Logins->Login Pages List page

  2. Click Create

    ../../_images/image342.png

  3. Open the Application Security->Anomaly Detection->Brute Force Attack Prevention page and click Create.

  4. Select Security->Application Security->Anomaly Detection->Brute Force Attack Prevention then click Create

  5. Change Login Page drop down box to [HTTPS]/user/login

  6. Click Apply Policy to commit changes

    ../../_images/image343.png

Task 4 - Configure Credential Encryption

  1. Select Security->Application Security->Data Protection->DataSafe Profiles

  2. Click Create

    ../../_images/image344.png

  3. Enter protect_credentials for Profile Name

    ../../_images/image345.png

  4. Select URL List and click Add

    ../../_images/image346.png

  5. Select Parameters then enter username in the Parameter Name and click Add

  6. Check Identify as Username and Encrypt check boxes

  7. Enter password in the Parameter Name and click Add

  8. Check Encrypt check box

    ../../_images/image347.png

  9. Click Login Page Properties

  10. Check Yes for URL is Login Page

  11. Enter My Account for A string should appear

  12. Enter Username or password are incorrect for A string that should NOT appear

    ../../_images/image348.png

  13. Click Save

Task 5 - Assign policies to protect Hackazon App

  1. Select Local Traffic->Virtual Servers->Virtual Servers List and click on hackazon_vs

  2. Select Security then Policy tab

  3. Change Application Security Policy to waf_baseCredentials

  4. Enable Anti-Fraud Profile and select protect_credentials

  5. Click Update

    ../../_images/image349.png

Task 6 - Repeat simulated credential attacks

  1. Open browser on jump server and go to https://<Elastic IP>/user/login
  2. Enter bigmac for Username
  3. Enter random password for Password. Repeat multiple times using different password to simulate brute force attack. You should receive a captcha challenge after 3 failed attempts.
  4. Enter code from captcha challenge then enter correct credentials to login in successfully.
  5. Open new incognito browser on jump server and open developer tools. (View->Developer-Developer Tools)
  6. Browse to https://<Elastic IP>/user/login and login as bigmac
  7. Once successfully logged in, review log on Developer Tool. Highlight login?return_url= and on right panel scroll to bottom of Form Data to view encrypted Username and Password
Previous Next