Mitigating OWASP Web Application Risk: Security Misconfiguration using F5 BIG-IP

This article is a continuation of the OWASP Top 10 Web Application Security series. It aims to explain the risk of Security Misconfiguration and how to reduce it using F5 BIG-IP Advanced WAF.

 

Introduction to Security Misconfiguration:

Security misconfiguration occurs when security settings are not properly implemented. This causes potential risks to the system and hence leads to the exposure of sensitive data. Some common examples of security problems are unpatched systems, default settings, unprotected files and directories, and unnecessary use of ports and pages. These vulnerabilities create opportunities for an attacker to compromise systems and steal sensitive data.

Fig 1: An attacker sends XML input containing a reference to an external entity, which is processed by a weak XML parser, resulting in the exposure of sensitive data.

 

Demo Attack and Mitigation using F5 BIG-IP Advanced WAF:

For the demo purpose, I chose the XXE (XML eXternal Entity) attack scenario to exploit the vulnerability in the system and demonstrate protection against it using F5 BIG-IP Advanced WAF.

 

Fig 2: XML input is blocked by F5 BIG-IP Advanced WAF

BIG-IP Advanced WAF prevents web attacks that may result in exposure of sensitive data or unauthorized access by the attacker. This can be achieved by configuring Advanced WAF security policy.

As a vulnerable application to exploit XXE attack, I chose Mutillidae demo application. Mutillidae Github repo.

Note: Following configs and validations are done on F5 BIG-IP VE with version: BIG-IP 16.1.5.2 Build 0.0.5 Point Release 2 

 

Step 1: Creating a security policy of attack signatures

• On the Main tab, click Security > Application Security > Security Policies. Click on Create to create the policy.
• Provide a name in the Name field.
• From the Virtual Server dropdown, select the virtual server to which this policy should be assigned to.
• Under Learning and Blocking section, make sure Enforcement Mode is set to Blocking, which is the default.
• Similarly, make sure Signature Staging is set to Enabled, which is the default.
• Policy Building Learning Mode is set to Automatic by default.
• The rest of the configs are set to default values.

Note: The default staging period is 7 days. It can be tuned according to customer requirements. If staging is enabled and the enforcement readiness period has not expired, then malicious requests will not get blocked.

Enforcement readiness period defines the number of days that the system places signatures in staging.

For more details on staging and enforcement readiness periods, refer to this link. 

Fig 3: BIG-IP Advanced WAF Security Policy configs

• Click on Save to save the security policy configured.

Fig 4: list of security policies created

This confirms security policy is saved successfully.

• Click on policy created to update the enforcement readiness period as per the requirements.

Fig 5: Advanced WAF Security policy configs

• Click on Save and then click on Apply Policy to update the modified retention period.

 

Step 2: Attack Generation and Mitigations 

First, let’s understand an overview of the XXE attack. Many applications handle XML data like user input data or configuration files. XML supports External Entities, which are references to external resources like files or text outside the XML document. These entities can be used across multiple XML documents to create more efficient code structures.

Fig 6: XML with External Entity reference

External Entities help to load resources (‘file.txt’) into XML document, as mentioned above. If an application is not properly secured, an attacker can send malicious XML data that tricks the system into executing commands and returning sensitive data.

Fig 7: XXE attack to return sensitive information

In the screenshot above, you can see how an attacker has found a way to send malicious XML data to the entity reference “xxe”, which then returns information from “/etc/passwd”, a file contains data of all the users. This is an example of how attackers exploit a Security Misconfiguration vulnerability.

Now, let us send an XXE attack to the Mutillidae demo application to retrieve the contents of the file (‘etc/passwd’). This attack is performed without the presence of BIG-IP.

Fig 8: XXE attack on the Mutillidae demo application

Let’s perform an XXE attack on the application protected by BIG-IP and observe the behavior.

Fig 9: XXE attack on application protecting BIG-IP with Signature staging enabled and signatures are not enforced.

From the above XXE attack, I chose to get the contents of a file ‘/etc/passwd’ which consists of username, user id etc. from the application server.

Since signature staging is enabled, the system does not enforce signatures to block the request even if it detects a violation and logs it.

Fig 10: XXE attack logs

When enforcing the signatures, and re-trying the same attack, the attack request is blocked.

Fig 11: Support ID of attack requestFig 12: XXE Attack blocked by BIG-IP Advanced WAF

 

Conclusion:

The application’s default settings for parsing XML data introduce a vulnerability, leading to the exposure of files and other sensitive information to attackers. F5 BIG-IP Advanced WAF looks for XML injection attempts and blocks it, thereby safeguarding the application against such threats and enhancing the security of the system.

 

References: 

For more detailed guidance on OWASP and steps to configuring Advanced WAF security policy on F5 BIG-IP, refer to the official documentation below, 

https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-attack-and-bot-signatures-14-1-0/assigning-attack-signatures-to-security-policies.html