Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

Question

Hello,
&nbsp;
Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?
&nbsp;
My idea is that the F5 can monitor a cookie or parameter from tampering but what about if the a JWT token is used and the client changes the HTTP header with another value that is not a web attack but another stolen JWT token.

aaronjb · Answer

I don't&nbsp;think that ASM has session awareness functionality for JWT tokens at this time; at least based on what I've been able to research for you.
APM can validate JWT tokens (https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-api-protection/api-protection-use-cases.html) which sounds like it would achieve what you're looking for (although I'm not specifically an APM person, so my knowledge there is a little limited).
There is an open RFE (Request For Enhancement) ID against ASM for JWS (JSON Web Security) support which might also bring in the functionality you're looking for - it has been open for a while with little customer/account team interest unfortunately but if you open a case with Support you can ask for your interest to be linked to the ID (ID601999) to help prioritize future development efforts.

liefzimmerman · Answer

Nikoolayy1&nbsp;- I'll see if I can get someone to take a look at your idea and get back to you.

nikoolayy1 · Answer

Thanks for the reply and checks. I was asked if like the session cookie hijacking similar thing can be done for the HTTP header tolken. The APM has nice options of generating such token and validating it as to what can be accessed with it but for hijacking protection when the API clients that are applications can't be checked like for example APM Zero Trust where the users and their devices are non stop checked with APM per-request policies and installed agents on the user devices I will have to review if that is possible.

Forum Discussion

Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?

Recent Discussions

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Migration from physical Hardware to R series

Related Content

JWT authorization with NGINX Ingress Controller

Explore how F5 BIG-IP Advanced WAF protects against attacks on GraphQL API

From ASM to Advanced WAF: Advancing your Application Security

SSL Orchestrator Advanced Use Cases: Integrating F5 Advanced Firewall Manager (AFM)

OWASP Tactical Access Defense Series: Broken Function Level Authorization (BFLA)