Mitigating OWASP Web Application Risk: Identification and Authentication Failure using BIG-IP

Introduction:

As web applications continue to grow in complexity and reach, they have become prime targets for attackers seeking to exploit vulnerabilities in identification and authentication mechanisms. Common attack vectors include credential stuffing, brute-force attempts, session hijacking, exploitation of default credentials, and insecure login implementations. These threats are in the OWASP Web Top 10 category of Identity and Authentication Failures. They pose serious risks to data privacy, application integrity, and user trust.

Also, organizations often face significant challenges in implementing and maintaining strong authentication frameworks. Key issues include inconsistent enforcement of policies, inadequate protection against automated login attacks like credential stuffing, and there is often insufficient insight into authentication irregularities, especially across complex, large-scale application infrastructures.

Consequences:

The effects of these failures can be big. This is why web developers and security professionals should fully understand these risks and take steps to fix them. This involves attackers using lists of known passwords along with automation tools like Selenium, Postman, and others to gain unauthorized access. If an application does not have protections in place against automated threats or credential stuffing, attackers can exploit the login page, executing these attacks to bypass authentication successfully.

Here are the key outlines on the consequences associated with this risk.

Unauthorised Access:
- Attackers may gain access to sensitive user accounts, administrative panels, or internal systems.
Data Breaches:
- Compromised accounts can expose personal, financial, or proprietary data.
Account Takeover:
- Through techniques like credential stuffing or brute-force attacks, attackers can fully hijack user accounts.
Business and Financial Loss:
- Fraudulent transactions, stolen customer data, or disrupted services can lead to significant financial losses.
Session Hijacking and Replay Attacks:
- Poor session management allows attackers to impersonate users via stolen session tokens.
Increased Attack Surface:
- Weak or inconsistent authentication increases the likelihood of being targeted repeatedly.
- Attackers may use successful exploits to test other applications in the ecosystem.
Service Downtime:
- Automated attacks (e.g., credential stuffing bots) can overwhelm login endpoints, causing performance degradation or denial-of-service.

Credential Stuffing:

Credential stuffing is a cyberattack where an attacker uses previously leaked usernames and passwords, often sourced from past data breaches, and tries logging into other websites. Since many users reuse credentials across different platforms, attackers automate login attempts using scripts or bots to gain unauthorized access to accounts on various services.

An attacker might use a Selenium script to read a list of known or stolen username-password pairs or automate login attempts on a target website using Selenium to fill and submit login forms. They could also detect success or failure based on factors such as page redirects, content changes, or error messages.

Problem Statement:

If an application lacks automated protection against threats such as credential stuffing, attackers can exploit the login page by launching credential stuffing attacks to gain unauthorized access.

Demonstration Example 1:

In this demonstration, we will see how BIG-IP helps to mitigate this risk and protect the application seamlessly. Here, we are using the vulnerable DIWA application to showcase the migration steps.

Architecture:

After deploying the DIWA application, and before applying the BIG-IP configuration, log in using the credentials manually to observe the application's default behavior.

Validate with invalid credentials.

Now, Configure BIG-IP with a virtual server and associate it with the DIWA demo application. Then, attempt to execute the credential stuffing attack using the Selenium script provided below.

Attackers can leverage simple scripts like the one above to identify valid login credentials from large datasets of leaked username-password combinations.

Mitigation Steps using BIG-IP Advanced WAF:

Log in to the BIG-IP console, go to Security > Bot Defense > Bot Defense Profiles> Create a profile with the below settings.

Associate the profile with the created virtual server by enabling Bot Defense under the security section.

Now, when the script is executed again, the security policy that was configured blocks it.

This can also be verified through the corresponding event logs in BIG-IP.

Demonstration Example 2:

Credential stuffing can have serious consequences for banking applications, as attackers use stolen username-password pairs from data breaches to gain unauthorized access to user accounts. Since many individuals reuse credentials across services, these automated attacks can quickly compromise multiple bank accounts, leading to financial theft, unauthorized transactions, and identity fraud. For the bank, this not only results in monetary losses but also damages customer trust and may lead to regulatory penalties for failing to protect sensitive data.

For this demonstration we are going to perform credential stuffing attack on an application called Vuln Bank . This application is added as a pool member to BIG-IP and can be accessed via virtual server. For more information refer to how to add pool member .

Below is the automation script that will trigger the attack .

Now lets run the script and see if we are able to login to the application .

After few failed login attempts the script was able to login into the application

Mitigation using BIG-IP Access Policy Manager (APM):

Login to BIG-IP console and navigate to Access >> API Protection >> Profile and create a new profile with the following configurations.

Name: name of the profile

Open API File: Upload the Open API i.e. swagger file of the application

DNS Resolver Mode: f5-aws-dns

Other configs are set to default values

After creating the profile, you will see all the endpoints of the application under ‘Paths’ section. APM automatically reads the endpoints from the swagger file that is been uploaded. If any endpoint is not listed or missing, we can add them manually by clicking the ‘Create’ button.

Since Open API file is not available for Vuln Bank Application , we manually added all the required endpoints of the application .

Now navigate to Rate Limiting tab and create rate limiting configuration as shown below . Here we are creating a limit of 3 requests per 1 minute with a spike of 3 requests in 10 seconds . This configuration can be modified according to the customer requirement .

Now navigate to the Access Control tab > Per Request Policy and click on edit, a new tab opens showing the policy mapping as shown in below screenshot

Now add Rate Limiting to the endpoint that is responsible for logging in to application as show below

Attach the rate limiting api protection profile to the virtual server on which the application is running

Now lets re run the script and see if we are able to login to the application .

After three failed login attempts the fourth request did not go through since we have set a rate limiting of only 3 requests per minute and we can see the same in the response message as well .

Conclusion:

As shown above, brute force attacks—including forceful browsing and credential stuffing, can be effectively mitigated by configuring Bot Defense on BIG-IP Advanced WAF. This not only makes the application safer, but it also makes sure that automated threats are found and blocked early, protecting user accounts and sensitive data.