Forum Discussion
hooleylist
Apr 11, 2012Cirrostratus
Hi Nik,
See below for responses:
1) Broken Authentication and session management
Most enterprise applications provide valid session management. However, if you need to, you can enforce login URLs per the ASM config guide:
Configuring login URLs to prevent forceful browsing
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_security_policy.html
2) Insecure direct object reference
You can configure login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application.
3) Security Misconfiguration
Here's a suggested list of possible issues. Which are you trying to address?
https://www.owasp.org/index.php/Top_10_2010-A6
4) Failure to restrict URL access
Again, as in 2, you can use login URLs and/or application flows to ensure clients have successfully authenticated and/or follow an expected path through the application. You can also use attack signatures and/or URLs to restrict which URLs clients can access.
5) Insufficient transport layer protection
You can easily redirect all HTTP requests to HTTPS using LTM. You can also restrict which SSL ciphers clients are allowed to use when accessing an HTTPS virtual server:
https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx
6) Unvalidated redirects and fowards
You can define valid redirects for specific parameter values either globally or per URL.
7) SQL injection (this is believe is protected through attack signatures , in policy->blocking )
ASM provides very complete SQLi protection through character set restrictions and attack signatures.
Aaron