Mitigating OWASP Web App Risks: Software and Data Integrity Failures using BIG-IP Advanced WAF

This article is a continuation of the OWASP Web Application security series, providing an in-depth look at OWASP Software and Data Integrity attacks and how to mitigate them using BIG-IP Advanced WAF.

What is Software and Data Integrity Failure?

In today’s digital world, where applications manage sensitive data and power essential operations, ensuring the integrity of both software and data is crucial. It's not just about stopping breaches but to fostering unshakable trust in the systems we depend on.

This risk centers around vulnerabilities that arise when applications fail to properly validate the integrity of their software, data, or dependencies. Such lapses can result in serious outcomes, including data manipulation, supply chain attacks, and compromised applications.

Consequences:

The consequences of OWASP Software and Data Integrity attacks can be severe, impacting both the security and functionality of web applications. Here are some potential outcomes like.

Compromised Data Integrity: Attackers may alter, manipulate, or corrupt critical data, resulting in inaccurate information being stored or processed. This undermines the reliability and trustworthiness of the system, especially in sectors where data integrity is vital, such as finance, healthcare, and law.
Malicious Code Execution: Exploiting software vulnerabilities could allow attackers to inject malicious code, leading to unauthorized command execution. This can cause unpredictable system behavior or open backdoors for further attacks.
Damage to Reputation: Data breaches or integrity violations often erode trust among users, customers, and partners, damaging the organization’s reputation. This can lead to a loss of customer loyalty and, ultimately, lost business opportunities.
Financial Consequences: Attacks on software and data integrity may result in significant financial losses, including fines for non-compliance, recovery costs, legal fees, and potential compensation to affected parties. In some cases, these attacks may even result in direct financial theft or fraud.
Compliance Breaches: Many industries are subject to strict regulatory standards (e.g., GDPR, HIPAA, PCI-DSS). A data integrity breach can lead to non-compliance, exposing the organization to legal penalties or loss of certifications for handling sensitive data.

In this article, we will explore how BIG-IP Advanced WAF is effectively mitigating these types of attacks through an exemplary demonstration.

Example - Manipulating Data Integrity with Insecure File Upload:

Topology:

Demonstration:

For this demonstration, we have set up a vulnerable application (DVWA) on an AWS instance and are utilizing a BIG-IP Virtual Server to direct client requests to the vulnerable application server.

Please follow the link to deploy the DVWA application in Ubuntu.

Also, we need to add the DVWA application as a pool member to the BIGIP virtual server.

You can refer adding-pool-info document if you need any assistance.

BIG-IP WAF Policy Config Steps:

Log in to the BIG-IP console, go to Security > Application Security > Security Policies, and create a new application policy with the following configurations.

Enforcement mode: Transparent

Signature Staging: Enabled

Virtual Sever: < Virtual server on which the endpoint (DVWA application) is accessible>

Note: Staging is enabled by default when creating an application security policy, with a default staging period of 7 days. This can be adjusted based on the customer’s needs. For more details about staging, refer to the Attack Signatures & Staging section.
Now try to access the application through virtual server.
Try to upload a PHP file through the “file upload” button and verify whether the application permits the upload. This could potentially allow an attacker to modify server files or corrupt data.
Access the uploaded file’s URL to execute it. This could provide the attacker with control over the web server via the uploaded PHP shell, enabling them to read, modify, or delete files, manipulate databases, and alter application data.
The corresponding logs can be found under the BIG-IP Advanced WAF event requests section.
Since the enforcement mode is set to transparent, the attack is detected and triggered with an “Alarm” action.

Let’s change the enforcement mode to blocking.
Now, try to upload the same PHP file using file upload button.

As shown here, BIG-IP Advanced WAF successfully detected the attack and blocked it, providing a support ID for reference.

Let’s see the detailed log-in events à requests section.

Conclusion:

In conclusion, BIG-IP Advanced WAF offers robust protection against software and data integrity threats, aligning with OWASP best practices to safeguard applications and sensitive data. By effectively detecting and mitigating vulnerabilities such as data tampering, unauthorized access, and other integrity risks, it ensures the security and trustworthiness of your deployments. With the rapidly evolving threat landscape, utilizing BIG-IP Advanced WAF is a critical step in maintaining secure, reliable, and compliant web application environments.