Mitigating OWASP Web Application Risk: Injection exploits using F5 BIG-IP

This article is a continuation of the OWASP Top 10 Web Application Security series. It aims to explain Injection attacks and how to stop them using F5 BIG-IP Advanced WAF.

Introduction to Injection attacks

An injection attack involves an attacker sending hostile or malicious code into a vulnerable application. The application can then execute this malicious code without proper validation measures, resulting in providing unauthorized access or control over the application to the attacker. SQL injection exploits can result in massive data loss and disruption as the attacker gains access to and manipulates the database.

Some of the most frequent and easily exploitable injections are SQL, Cross-Site Scripting (XSS), NoSQL, OS commands, LDAP and more

Fig 1: Attacker getting access to sensitive information by injecting malicious code to web server

Demo Attack and Mitigation steps using F5 BIG-IP Advanced WAF:

BIG-IP Advanced WAF prevents web attacks that gain unauthorized access to the web application by carefully validating user input data. This can be achieved by configuring Advanced WAF security policy.

Fig 2: F5 BIG-IP rejecting malicious requests from attacker and only allowing valid inputs after carefully examining them

The steps mentioned below give some brief details about creating a security policy along with generating SQL injection attack followed by enforcing Attack signatures to block the attack using F5 BIG IP.

Let us now see a quick demo of SQL injection attack and mitigate it using BIG-IP Advanced WAF security policy.

As a vulnerable application to exploit SQL injection, I chose the OWASP Juice Shop demo application.

Note: The following configs and validations are done on F5 BIG-IP VE with version: BIG-IP 16.1.5.2 Build 0.0.5 Point Release 2

Step 1: Creating a security policy of attack signatures

On the Main tab, click Security > Application Security > Security Policies. Click on Create to create the policy.
Provide a name in the Name field.
From the Virtual Server dropdown, select the virtual server to which this policy should be assigned.
Under Learning and Blocking section, make sure Enforcement Mode is set to Blocking, which is the default.
Similarly, make sure Signature Staging is set to Enabled, which is the default.
Policy Building Learning Mode is set to Automatic by default.
The rest of the configs are set to default values.

Note: The default staging period is 7 days. It can be tuned according to customer requirements. If staging is enabled and the enforcement readiness period has not expired, then malicious requests will not get blocked.

Enforcement readiness period defines the number of days that the system places signatures in staging.

For more details on staging and enforcement readiness periods, refer to link.

Click on Save to save the security policy configured.

This confirms security policy is saved successfully and assigned to Virtual server.

Click on the policy created to update the enforcement readiness period as per the requirements.

Click on Save and then click on Apply Policy to update the modified retention period.

Step 2: Attack Generation and Mitigation

Let’s perform an SQL injection attack against the application protected by BIG-IP and observe the behavior.

As shown, we can log in to the application using the invalid credentials.

Since signature staging is enabled, the system does not enforce signatures to block the request even if it detects a violation. Instead, the system records the request’s information.

The respective attack signature was detected, and it is shown in log events as below,

Once the enforcement readiness period expires, the attack signatures get enforced and the attack requests will get blocked.

When re-trying the same attack, the attack request is blocked after the attack signature is enforced.

Conclusion:

SQL injection always possesses a threat to the application, if the input data is not properly validated. All input to the system must be validated thoroughly to prevent attackers from gaining control. BIG-IP Advanced WAF sanitizes the input data by implementing robust application policies. This ensures enhanced security against such vulnerabilities.