A basic OWASP 2017 Top 10-compliant declarative WAF policy
As OWASP Application Security Risks Top 10 is the most recognized report outlining the top security concerns for web application security, it is important to see how to configure F5's declarative Advanced WAF policy to protect against those threats.
This article describes an example of a basic declarative WAF policy that is OWASP 2017 Top 10-compliant. Note that there are policy entities that are customized for the application being protected, in this case a demo application named Arcadia Finance so they will need to be adapted for each particular application to be protected.
The policy was configured following the pattern described in K52596282: Securing against the OWASP Top 10 guide and its conformance with OWASP Top 10 is being verified by consulting the OWASP Compliance Dashboard bundled with F5's Advanced WAF.
Introduction
As described in the above K52596282: Securing against the OWASP Top 10, the current OWASP Top 10 vulnerabilities are:
- Injection attacks (A1)
- Broken authentication attacks (A2)
- Sensitive data exposure attacks (A3)
- XML external entity attacks (A4)
- Broken access control attacks (A5)
- Security misconfiguration attacks (A6)
- Cross-site scripting attacks (A7)
- Insecure deserialization attacks (A8)
- Components with known vulnerabilities attacks (A9)
- Insufficient logging and monitoring attacks (A10)
Most of these vulnerabilities can be mitigated with a properly configured WAF policy while, for the few of them that depend on security measures implemented in the application itself, there are recommended guidelines on application security which will prevent the exploitation of OWASP 10 vulnerabilities.
The declarative Advanced WAF policies are security policies defined using the declarative JSON format, which facilitates integration with source control systems and CI/CD pipelines.
The documentation of the declarative WAF policy (v16.0) can be found here while its schema can be consulted here.
One of the most basic declarative Advanced WAF policies that can be applied is as follows:
{ "policy": { "name": "Complete_OWASP_Top_Ten", "description": "A basic, OWASP Top 10 protection items v1.0", "template": { "name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT" } }
As you can see from the OWASP Compliance Dashboard screenshot, this policy is far from being OWASP-compliant but we will use it as a starting point to build a fully compliant configuration.
This article will go through each vulnerability class and show an example of declarative WAF policy configuration that would mitigate that respective vulnerability.
Injection attacks (A1)
As K51836239: Securing against the OWASP Top 10 | Chapter 2: Injection attacks (A1) states:
"An injection attack occurs when:
- An attacker injects a command, query, or code into a vulnerable element of the application.
- The web application server executes the injection.
- The attacker gains unauthorized access, causes a denial of service, steals sensitive data, or causes a similarly nefarious outcome."
Securing against injection attacks entails configuring attack signatures and evasion techniques as well as restricting meta characters and parameters. The following configuration, added to the above basic declarative policy, will meet those requirements:
"signature-settings":{ "signatureStaging": false, "minimumAccuracyForAutoAddedSignatures": "high" }, "blocking-settings": { "evasions": [ { "description": "Bad unescape", "enabled": true, "learn": true }, { "description": "Apache whitespace", "enabled": true, "learn": true }, { "description": "Bare byte decoding", "enabled": true, "learn": true }, { "description": "IIS Unicode codepoints", "enabled": true, "learn": true }, { "description": "IIS backslashes", "enabled": true, "learn": true }, { "description": "%u decoding", "enabled": true, "learn": true }, { "description": "Multiple decoding", "enabled": true, "learn": true, "maxDecodingPasses": 3 }, { "description": "Directory traversals", "enabled": true, "learn": true } ] }
Broken authentication attacks (A2)
According to K35371357: Securing against the OWASP Top 10 | Chapter 3: Broken authentication (A2):
"The Open Web Application Security Project (OWASP) defines broken authentication as incorrect implementation of application functions related to authentication and session management. Using broken authentication, attackers can compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users' identities, either temporarily or permanently."
Mitigations include session hijacking protection and tracking user sessions, brute force protection, credential stuffing protection and CSRF protection.
Here is an example of configuration that will enable those features:
"blocking-settings": { "violations": [ { "alarm": true, "block": true, "description": "ASM Cookie Hijacking", "learn": false, "name": "VIOL_ASM_COOKIE_HIJACKING" }, { "alarm": true, "block": true, "description": "Access from disallowed User/Session/IP/Device ID", "name": "VIOL_SESSION_AWARENESS" }, { "alarm": true, "block": true, "description": "Modified ASM cookie", "learn": true, "name": "VIOL_ASM_COOKIE_MODIFIED" }, { "name": "VIOL_LOGIN_URL_BYPASSED", "alarm": true, "block": true, "learn": false } ], "evasions": [ <...> ] }, "session-tracking": { "sessionTrackingConfiguration": { "enableTrackingSessionHijackingByDeviceId": true } }, "urls": [ { "name": "/trading/auth.php", "method": "POST", "protocol": "https", "type": "explicit" } ], "login-pages": [ { "accessValidation": { "headerContains": "302 Found" }, "authenticationType": "form", "passwordParameterName": "password", "usernameParameterName": "username", "url": { "name": "/trading/auth.php", "method": "POST", "protocol": "https", "type": "explicit" } } ], "login-enforcement": { "authenticatedUrls": [ "/trading/index.php" ] }, "brute-force-attack-preventions": [ { "bruteForceProtectionForAllLoginPages": true, "leakedCredentialsCriteria": { "action": "alarm-and-blocking-page", "enabled": true } } ], "csrf-protection": { "enabled": true }, "csrf-urls": [ { "enforcementAction": "verify-csrf-token", "method": "GET", "url": "/trading/index.php" } ]
Note: this is a configuration example customized for Arcadia Finance demo application. The URLs specified in your configuration might be different.
Sensitive data exposure (A3)
According to K05354050: Securing against the OWASP Top 10 | Chapter 4: Sensitive data exposure (A3):
"A sensitive data exposure flaw can occur when you:
- Store or transit data in clear text (most common).
- Protect data with an old or weak encryption.
- Do not properly filter or mask data in transit."
BIG-IP Advanced WAF can protect sensitive data from being transmitted using Data Guard response scrubbing and from being logged with request log masking.
Note: masking sensitive data in the request log is enabled by default.
You can enable Data Guard by adding the following configuration to the policy:
"data-guard": { "enabled": true }
XML external entity attacks (A4)
As per K50262217: Securing against the OWASP Top 10 | Chapter 5: XML external entity attacks (A4):
"According to the Open Web Application Security Project (OWASP), an XXE attack is an attack against an application that parses XML input. The attack occurs when a weakly configured XML parser processes XML input containing a reference to an external entity. XXE attacks exploit Document Type Definitions (DTDs), which are considered obsolete; however, they are still enabled in many XML parsers."
Securing against XXE can be done through disallowing DTDs and enabling XXE attack signatures. The following configuration achieves that:
"blocking-settings": { "violations": [ <...> { "alarm": true, "block": true, "description": "XML data does not comply with format settings", "learn": true, "name": "VIOL_XML_FORMAT" } ], "evasions": [ <...> ] }, "xml-profiles": [ { "name": "Default", "defenseAttributes": { "allowDTDs": false, "allowExternalReferences": false } } ]
Note: XXE attack signatures are enabled by default.
Broken access control (A5)
According to K36157617: Securing against the OWASP Top 10 | Chapter 6: Broken access control (A5):
"Access control, also called authorization, allows or denies access to your application's features and resources. Misuse of access control enables:
- Unauthorized access to sensitive information.
- Inappropriate creation or deletion of resources.
- User impersonation.
- Privilege escalation."
Preventing attacks exploiting broken access control can be done by login enforcement, enabling path traversal or authentication/authorization attack signatures and disallowing file types and URLs. For example, the following configuration will enable the disallowed file type and URL violations and add a disallowed URL:
"blocking-settings": { <...> { "name": "VIOL_FILETYPE", "alarm": true, "block": true, "learn": true }, { "name": "VIOL_URL", "alarm": true, "block": true, "learn": true } ], "evasions": [ <...> ] }, "urls": [ <...> { "name": "/internal/test.php", "method": "GET", "protocol": "https", "type": "explicit", "isAllowed": false } ]
Note: the policy already has a list of disallowed file types configured by default:
Security misconfiguration attacks (A6)
As per K10622005: Securing against the OWASP Top 10 | Chapter 7: Security misconfiguration attacks (A6):
"Misconfiguration vulnerabilities are configuration weaknesses that may exist in software components or subsystems. For example, web server software may ship with default user accounts that an attacker can use to access the system, or the software may contain sample files, such as configuration files, and scripts that an attacker can exploit. In addition, software may have unneeded services enabled, such as remote administration functionality."
Since these vulnerabilities depend on the way the application has been configured, F5 has a number of recommendations for the system administrators describing some techniques used to mitigate this class of attacks - please see the referenced article.
You can then check the relevant items under the OWASP Compliance Dashboard:
Click "Review & Update" to apply the changes.
Cross-site scripting (A7)
According to K22729008: Securing against the OWASP Top 10 | Chapter 8: Cross-site scripting (A7):
"Cross-site scripting (XSS or CSS) occurs when a web application receives untrusted data and then sends that data, without validation, to an end user's web browser. This transaction enables an attacker to send executable code to the victim’s browser and, ultimately, manipulate the end user's session by doing one of the following:
- Session hijacking
- Defacing the website
- Redirecting the user to a site with malicious intent (most common)"
Securing against XSS attacks can be done by enabling the relevant attack signatures and disallowing meta-characters in parameters - the following demonstrates this configuration:
"blocking-settings": { "violations": [ <...> { "name": "VIOL_URL_METACHAR", "alarm": true, "block": true, "learn": true }, { "name": "VIOL_PARAMETER_VALUE_METACHAR", "alarm": true, "block": true, "learn": true }, { "name": "VIOL_PARAMETER_NAME_METACHAR", "alarm": true, "block": true, "learn": true } ]
Insecure deserialization (A8)
As per K01034237: Securing against the OWASP Top 10 | Chapter 9: Insecure deserialization (A8):
"Serialization occurs when an application converts data structures and objects into a different format, such as binary or structured text like XML and JSON, so that it is suitable for other purposes, including the following:
- Data storage
- Messaging
- Remote procedure call (RPC)/inter-process communication (IPC)
- Caching
- HTTP cookies
- HTML form parameters
- API authentication tokens
Deserialization is when an application reverts the serialized output into its original form.
To exploit insecure deserialization, attackers typically tamper with the data in data structures or objects that modify an object's content or change an application's logic."
Protecting against deserialization attacks can be done by performing HTTP header, XML or JSON validation and by enabling the insecure deserialization attack signatures - note that these signatures are enabled by default.
An example of JSON validation configuration can be seen below:
"urls": [ <...> { "name": "/trading/rest/portfolio.php", "method": "GET", "protocol": "https", "type": "explicit", "urlContentProfiles": [ { "headerName": "Content-Type", "headerValue": "text/html", "type": "json", "contentProfile": { "name": "portfolio" } }, { "headerName": "*", "headerValue": "*", "type": "do-nothing" } ] } ], "json-profiles": [ { "name": "portfolio" } ]
Using components with known vulnerabilities (A9)
According to K90977804: Securing against the OWASP Top 10 | Chapter 10: Using components with known vulnerabilities (A9):
"Component-based vulnerabilities occur when a web application component is unsupported, out of date, or vulnerable to a known exploit. The BIG-IP ASM system provides security features, such as attack signatures, that protect your web application against component-based vulnerability attacks."
As a way to customize the WAF policy for the server technologies relevant to your back-end, consider adding them to the policy by enabling, for example, server technologies detection:
"policy-builder-server-technologies": { "enableServerTechnologiesDetection": true }
For a list of recommended actions to mitigate this vulnerability class, please consult the referred article. Once the mitigation measures are in place, check the relevant entries in the OWASP Conformance Dashboard.
Insufficient logging and monitoring (A10)
K97756490: Securing against the OWASP Top 10 | Chapter 11: Insufficient logging and monitoring (A10) describes the recommended configuration to enable comprehensive logging on BIG-IP Advanced WAF. This configuration is not part of the declarative WAF policy so it will not be described here - please follow the instructions in the referred article.
Once logging has been configured, check the relevant items in the OWASP Compliance Dashboard.
After updating the policy, the OWASP Compliance Dashboard should show a full compliance:
Other recommended configurations
In case client connections are passing through a trusted reverse proxy that replaces the source IP address and places the client's IP address in the X-Forwarded-For HTTP header, it is recommended to enable the "Trust X-Forwarded-For" option under the WAF policy:
"general": { "trustXff": true }
The enforcement mode can also be controlled through the policy file, the recommendation being to set it to "transparent" mode while running the CI/CD pipeline in Dev or QA environments (or, if the policy is build outside a CI/CD pipeline, in a similar Pre-Prod environment) and configure it as "blocking" when running into a Production environment:
"enforcementMode":"transparent"
Conclusion
This article has shown a very basic OWASP Top 10 - compliant declarative WAF policy. It is worth noting that, although this WAF policy is fully compliant to OWASP Top 10 recommendations, it contains elements that need to be customized for each individual application and should only be treated as a starting point for a production-ready WAF policy that would most likely need to be configured with additional elements.
The full configuration of the declarative policy used in this example can be found on CodeShare: Example OWASP Top 10-compliant declarative WAF policy