Mitigating OWASP Web Application Insecure Design using F5 BIG-IP Advanced WAF

This article is part of the OWASP Web Application Security series. It will show you how to reduce the risk of Web Application Insecure Design using web scraping and using BIG-IP Bot Defense.

Introduction to Insecure Design

Insecure design refers to flaws or defects in a software systems planning, architectural design, logic along with vulnerable tools used to build an application, that give opportunity to the attacker to exploit these flaws and make system compromise. Security should always be considered as a priority from the planning to deployment phases. Neglecting security considerations makes the system components loosely coupled and gives rise to major vulnerabilities as mentioned below,

Injection vulnerabilities
Bot attacks
Authentication bypass

The above vulnerabilities can be avoided by carefully considering security during every phase of application implementation. By conducting proper techniques such as input data validation, valid authorization, proper data protection, and log monitoring helps to prevent insecure design vulnerabilities.

BIG-IP provides a unique solution to handle different perceptions of vulnerabilities and provides maximum solution to cover insecure design flaws. Thereby protecting the application from the attackers.

Fig 1: Application with multiple vulnerabilities due to improper design and implementation

Fig 2: BIG-IP Bot Defense protecting the application from Bot attacks

BIG-IP Bot Defense distinguishes between benign and malicious bots and thereby defends the application against automated attacks like web robots (bots).

This article aims to create BIG-IP Bot Defense profile to protect the web application against bot attacks.

Bot Defense configuration and attack mitigation

The steps mentioned below give brief details about creating a Bot Defense policy along with generating bot attacks and mitigating it using BIG-IP.

Generate bot attack
Apply Bot Defense policy using BIG-IP and verify the behavior

Note: Following configs and validation is done on BIG-IP VE with version: BIG-IP 16.1.5.2 Build 0.0.5 Point Release 2 

Step 1: Generating bot attack

An automated script is used to generate the bot attack on the application. Evershop Demo app does not have protection against bots run by scalpers. The automated script performs buying the product in larger quantities in short span of time and reselling the product with higher prices. This causes huge losses for the e-commerce site.

To exploit bot vulnerability in the Application, I chose Evershop e-commerce demo application.

Below is the code used to buy an item from the demo app.

Below logs specify the same items brought multiple times by a single user.

Step 2: Configuring Bot Defense policy and verifying the behavior

Now, let’s apply the Bot Defense policy to BIG-IP and observe the behavior.

On the Main tab, click Security > Bot Defense > Bot Defense Profiles. Click on Create.
Enter the name of the profile.
Select Enforcement Mode as Blocking and Signature Staging upon Update as Disabled.
Click on Save to create the profile.

After configuring a Bot Defense profile, we must assign it to a virtual server to make the application protected from bot attacks.

On the Main tab, click Local Traffic > Virtual Servers and select the virtual server to associate the Bot Defense policy.
Click Security > Policies.
Under Policy Settings for Bot Defense profile, select Enabled and select the Bot Defense profile created above.

Click Update to save the policy settings.

Now, let’s run the above script to generate a bot attack and observe the behavior.

It is observed that Bot Defense prevents bots from accessing the website.

Conclusion

BIG-IP Bot Defense acts as a circle of protection against the issues caused by different kinds of bot attack. With the key strategies involving input validation, distinguishing between benign and malicious bots, logging security events provided by BIG-IP provides a better solution to protect the applications from attacks.