Mitigating OWASP API Security Risk: Injection flaws using F5 XC Platform
Overview of OWASP and F5 Distributed Cloud Web Application and API Protection:
The Introductory article covered basics of OWASP and API Security. We have also seen summary of the top 10 vulnerabilties and an overview of F5 Distributed Cloud (F5 XC) Web Application and API Protection (WAAP). This article is in continuation of the series and shows a scenario of how we can mitigate Injection attack using F5 XC.
Introduction to Injection:
An injection attack is facilitated by a vulnerability which allows a hacker to provide some malicious code to the application in an unexpected way. When an application passes information from user input, as a best practice there should be some validations in place before sending request to the back-end servers. Sometimes an attacker can induce special characters (like $ to get env variable) and malicious code to bypass the scope and get sensitive details. Some of these attacks include:
- Executing Linux system calls on back-end servers to get sensitive information
- Allowing an attacker to steal other user tokens, session cookies, etc.
- Running malicious scripts like Cross Site Scripting
Introduction to F5 Distributed Cloud Web Application Firewall:
Most of these exploits can be blocked using F5 Distributed Cloud Web Application Firewall (F5 XC WAF) which supports a vast variety of these types of signatures categorized as LOW, MEDIUM and HIGH. F5 XC WAF can be configured with simple default configuration and can be tuned to custom attack signatures at lowest level. If needed, customers can also explore security events, research attack signatures to identify if the request is valid or illegal and whether it should be blocked or allowed. After analyzing these security events, administrators/SecOps can go ahead and further tune existing WAF configuration as per their business needs.
Below demo shows a simple application login API using Postman tool and how we can prevent injection attacks on this API using F5 XC WAF.
First let’s analyze the login API of a demo application. As part of the request, the payload takes 2 parameters and users provide a valid username and password to authenticate the login successfully.
Valid Postman Request:
Illegal Postman Request using SQL Injection:
If the application code is not sanitized and validated, then attackers can explore the SQL query used in the request and can add malicious SQL commands (For ex: inject OR 1=1 in the query which is always true and returns data) thereby bypassing the credential validation and can login to application as below.
We can protect our web applications by creating load balancer and applying F5 XC WAF as below:
- Login to F5 Distributed Cloud Console with your credentials
- Navigate to Load balancers menu, then expand “Security” section and then click on “App Firewall”
- Create App Firewall with mode as Blocking (refer links for more details)
- Navigate to Manage section and from drop-down select “HTTP Load Balancers”
- Create load balancer and apply above created App Firewall (refer links for more details)
- Open Postman and try to regenerate SQL injection attack with same code provided above
- Validate your request is blocked as below:
- In Distributed Cloud Console navigate to security events section, expand the latest requests and filter logs with your request-ID. As shown below we can see request is blocked because of SQL Injection vulnerability:
As demonstrated above, F5 Distributed Cloud WAAP can be used to detect, alert and mitigate Injection vulnerabilities.