Mitigating OWASP Web Application Risk: Vulnerable & Outdated Components using F5 XC Platform

Introduction to OWASP TOP 10 2021:  

The Overview article on mitigation of OWASP Top 10 Application Security risk categories using F5 Distributed Cloud Web App and API Protection (WAAP) covered details about OWASP & mitigation strategy for Injection attacks followed by 3 more articles in sequence covering Broken Access, Authentication and Cryptographic Failures, Security Misconfiguration (check reference links at the end of this article for more details). This article is in continuation of the series and will cover A06:2021 – Vulnerable and Outdated Components. 

Introduction to Vulnerable and Outdated Components: 

Vulnerable and Outdated Components was in 2017 OWASP Top 10 list with a name of “Components with Know Vulnerabilities” and has secured a better position now from #9 to #6 in 2021 OWASP Top 10 list.  

Applications used in enterprises often contain open-source components such as libraries and frameworks (e.g., Junit, Log4J, SonarQube, Open SSL). Such applications are prone to threats such as code injection, buffer overflow, command injection and cross-site scripting from unsupported, out of date open-source components and known exploited vulnerabilities. 

Since numerous computer program components run with the same privileges as the application itself, any vulnerabilities or imperfections within such components can result in a danger to the software/application. Utilizing components which are prone to vulnerabilities makes the application vulnerable to attacks that target any portion of the application stack which makes the security of the application unstable causing threat to the organization’s security. 

Using F5 Distributed Cloud Web Application Firewall (F5 XC WAF) we can identify these vulnerabilities and prevent the impact by configuring the WAF. 

Demonstration: 

In this demonstration we will exploit one of the vulnerabilities of PHP server, admin console page (phpMyAdmin.php) which has sensitive info related to the backend server like homepage location, user info and relative credentials etc. For the demo, we are using ‘Mutillidae’ vulnerable application as the backend server (check reference links for more details). We will also see the detailed prevention steps using Distributed Cloud WAAP. 

Steps: 

In this process, we will configure the enforcement mode as ‘Monitoring’ in the application firewall policy, exploit the vulnerability and will observe the security event log so that we will come to know how the WAF engine is efficiently identifying the threats. 

1. Create a Load Balancer (LB) in Distributed Cloud console and add the Mutillidae application as an origin pool member, Refer F5 Distributed Cloud Tech Docs for configuration steps. 
2. Create a firewall policy with enforcement mode as ‘Monitoring’ and add it to your LB
   • Select WAAP service from Distributed Cloud console homepage. 
   • Navigate to Manage->App Firewall, click ‘Add App Firewall’ 
   • Enter a name, select ‘Enforcement Mode’ as ‘Monitoring’, click ‘Save & Exit’
   • Navigate to Manage->Load Balancers->HTTP Load Balancer. 
   • On the right side of your LB click on three dots (ellipsis) and select ‘Manage Configuration’ as an action, click on ‘Edit Configuration’ 
   • Scroll down, in ‘Security Configuration’, ‘Enable’ WAF (Web Application Firewall) and select the firewall created. Click ‘Save & Exit’ 
     
3. Access the above-mentioned vulnerable PHP server admin page (phpmyadmin.php) and monitor the security event logs.
   

   The above screenshot will show you the admin page that provides sensitive information related to database server which should not be exposed to the outside world. 

    Security Event Logs: 

   • To verify the logs, Select Web application & API Protection (WAAP) service from Distributed Cloud console homepage. 
   • Navigate to Overview --> Dashboard, click on ‘Security Events’ 

   Since the WAF is in monitoring mode the WAF engine has detected and allowed the PHP admin vulnerability as shown below.

   The above screenshot shows the PHP vulnerability signature details with matching info of the security event.
4. Modify the enforcement mode of the firewall policy created to ‘Blocking’ as below
5. Repeat Step3. 

    In the above screenshot you can see how the Distributed Cloud WAF engine has successfully detected and blocked the known vulnerability. 

   Security Event Logs: 

   • Refer step-3 to navigate to dashboard

   Since the WAF is in blocking mode the WAF engine has detected and blocked the PHP admin vulnerability as shown below.

   In the above screenshot you can see the php admin page attack has been successfully identified and blocked by Distributed Cloud WAF engine. 

Conclusion: 

As you can see from the demonstration, the F5 Distributed Cloud WAF was successfully able to detect and restrict the attempt to exploit the known vulnerability of php admin page, a part of vulnerable and outdated components category. 

For further information click the links below: 

1. OWASP Vulnerable and Outdated Component 
2. OWASP Mutillidae II documentation 
3. F5 Distributed Cloud WAAP