Forum Discussion

Nik_67256's avatar
Nik_67256
Icon for Nimbostratus rankNimbostratus
Apr 10, 2012

OWASP top 10 Protection - Protection

Hi Aaron,

 

 

How can one ensure protection against OWASP top 10.

 

 

Do know about protecting against Brute force , Cross site scripting , CSRF. But what do we configure to ensure protection against the other top 10 vulnerabilities.

 

 

1) Broken Authentication and session management

 

2) Insecure direct object refernece

 

3) Security Misconfiguration

 

4) Failure to restrict URL access

 

5) Insufficient transport layer protection

 

6) Unvalidated redirects and fowards

 

7) SQL injection (this is believe is protected through attack signatures , in policy->blocking )

 

 

 

Would appreciate if the specific entity to block is clearly indicated e.g. Policy--->entity--->blocking

 

 

 

 

Regards

 

Nik

 

 

  • Hi Nik,

     

     

    See below for responses:

     

     

    1) Broken Authentication and session management

     

     

    Most enterprise applications provide valid session management. However, if you need to, you can enforce login URLs per the ASM config guide:

     

     

    Configuring login URLs to prevent forceful browsing

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_security_policy.html

     

     

    2) Insecure direct object reference

     

     

    You can configure login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application.

     

     

    3) Security Misconfiguration

     

     

    Here's a suggested list of possible issues. Which are you trying to address?

     

     

    https://www.owasp.org/index.php/Top_10_2010-A6

     

     

    4) Failure to restrict URL access

     

     

    Again, as in 2, you can use login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application. You can also use attack signatures and/or URLs to restrict which URLs clients can access.

     

     

    5) Insufficient transport layer protection

     

     

    You can easily redirect all HTTP requests to HTTPS using LTM. You can also restrict which SSL ciphers clients are allowed to use when accessing an HTTPS virtual server:

     

    https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx

     

     

    6) Unvalidated redirects and fowards

     

     

    You can define valid redirects for specific parameter values either globally or per URL.

     

     

    7) SQL injection (this is believe is protected through attack signatures , in policy->blocking )

     

     

    ASM provides very complete SQLi protection through character set restrictions and attack signatures.

     

     

    Aaron
  •  

    Thanks Aaron. Ive put my response under "Nik" below your comments.

     

     

     

    1) Broken Authentication and session management

     

     

     

    Most enterprise applications provide valid session management. However, if you need to, you can enforce login URLs per the ASM config guide:

     

     

    Configuring login URLs to prevent forceful browsing

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_security_policy.html

     

     

    Nik - Will configuring Login URL's only be enough for protection against forceful browzing and broken Authentication

     

     

    2) Insecure direct object reference

     

     

    You can configure login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application.

     

     

    Nik - Will configuring Login URL's only be enough for protection against insecure direct object reference

     

     

    3) Security Misconfiguration

     

     

     

    Here's a suggested list of possible issues. Which are you trying to address?

     

     

    https://www.owasp.org/index.php/Top_10_2010-A6

     

     

    Nik- These issues were thrown up under "OWASP - Security Misconfiguration" during a scan. How can asm address these -

     

     

    a) Alternative version of files detected - Possible to gather sensitive information about web application such as usernames , pwd, m/c name and/or sensitive file locations.Casue- Temporary files were left in production

     

     

    b) Application test script detected - possible to download temp script files.Casue -Temporary files were left in production

     

    Temp files were left in production environment and were downloadable.

     

     

    c) Autocomplete html attribute not disabled for password field.

     

     

    d) Compressed directory found - Its possible to retrieve code of server - side scripts exposing application logic. Casue - Insecure web app programming / config

     

     

     

    4) Failure to restrict URL access

     

     

    Again, as in 2, you can use login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application. You can also use attack signatures and/or URLs to restrict which URLs clients can access.

     

     

    Nik - Will configuring Login URL's only be enough for protection against Failure to restrict URL access.

     

     

    Further , For restricting what URL clients can access , wouldnt applying a policy based on legitimate URLS be very overwhelming/time conmsuming to learn and apply ?

     

     

    5) Insufficient transport layer protection

     

     

     

    You can easily redirect all HTTP requests to HTTPS using LTM. You can also restrict which SSL ciphers clients are allowed to use when accessing an HTTPS virtual server:

     

    https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx

     

     

    Nik - OK

     

     

    6) Unvalidated redirects and fowards

     

     

    You can define valid redirects for specific parameter values either globally or per URL.

     

    Nik - OK

     

    7) SQL injection (this is believe is protected through attack signatures , in policy->blocking )

     

     

     

    ASM provides very complete SQLi protection through character set restrictions and attack signatures.

     

     

    Nik - OK