cancel
Showing results for 
Search instead for 
Did you mean: 
Valentin_Tobi
F5 Employee
F5 Employee

Problem this snippet solves:

This is an example of a basic declarative BIG-IP WAF policy that is OWASP Top 10-compliant. This policy can be used as a starting point for a production-ready version.

A companion Dev Central article discussing this policy in depth can be found here.

How to use this snippet:

This policy can be deployed through an AS3 declaration to the BIG-IP.

Code :

{
  "policy": {
    "name": "Complete_OWASP_Top_Ten",
    "description": "A basic, OWASP Top 10 protection items v1.0",
    "template": {
      "name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
    },
    "enforcementMode":"transparent",
    "protocolIndependent": true,
    "caseInsensitive": true,
    "general": {
      "trustXff": true
    },
    "signature-settings":{
           "signatureStaging": false,
           "minimumAccuracyForAutoAddedSignatures": "high"
       },
   "blocking-settings": {
     "violations": [
         {
           "alarm": true,
           "block": true,
           "description": "ASM Cookie Hijacking",
           "learn": false,
           "name": "VIOL_ASM_COOKIE_HIJACKING"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Access from disallowed User/Session/IP/Device ID",
           "name": "VIOL_SESSION_AWARENESS"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Modified ASM cookie",
           "learn": true,
           "name": "VIOL_ASM_COOKIE_MODIFIED"
         },
         {
           "name": "VIOL_LOGIN_URL_BYPASSED",
           "alarm": true,
           "block": true,
           "learn": false
         },
         {
           "alarm": true,
           "block": true,
           "description": "XML data does not comply with format settings",
           "learn": true,
           "name": "VIOL_XML_FORMAT"
         },
         {
           "name": "VIOL_FILETYPE",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_VALUE_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_NAME_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         }
     ],
     "evasions": [
       {
         "description": "Bad unescape",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Apache whitespace",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Bare byte decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS Unicode codepoints",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS backslashes",
         "enabled": true,
         "learn": true
       },
       {
         "description": "%u decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Multiple decoding",
         "enabled": true,
         "learn": true,
         "maxDecodingPasses": 3
       },
       {
         "description": "Directory traversals",
         "enabled": true,
         "learn": true
       }
     ]
   },
   "session-tracking": {
     "sessionTrackingConfiguration": {
       "enableTrackingSessionHijackingByDeviceId": true
     }
   },
   "urls": [
       {
         "name": "/trading/auth.php",
         "method": "POST",
         "protocol": "https",
         "type": "explicit"
       },
       {
         "name": "/internal/test.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "isAllowed": false
       },
       {
         "name": "/trading/rest/portfolio.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "urlContentProfiles": [
           {
             "headerName": "Content-Type",
             "headerValue": "text/html",
             "type": "json",
             "contentProfile": {
               "name": "portfolio"
             }
           },
           {
             "headerName": "*",
             "headerValue": "*",
             "type": "do-nothing"
           }
         ]
       }
   ],
   "login-pages": [
       {
         "accessValidation": {
           "headerContains": "302 Found"
         },
         "authenticationType": "form",
         "passwordParameterName": "password",
         "usernameParameterName": "username",
         "url": {
           "name": "/trading/auth.php",
           "method": "POST",
           "protocol": "https",
           "type": "explicit"
         }
       }
   ],
   "login-enforcement": {
     "authenticatedUrls": [
       "/trading/index.php"
     ]
   },
   "brute-force-attack-preventions": [
     {
       "bruteForceProtectionForAllLoginPages": true,
       "leakedCredentialsCriteria": {
         "action": "alarm-and-blocking-page",
         "enabled": true
       }
     }
   ],
   "csrf-protection": {
     "enabled": true
   },
   "csrf-urls": [
     {
       "enforcementAction": "verify-csrf-token",
       "method": "GET",
       "url": "/trading/index.php"
     }
   ],
   "data-guard": {
     "enabled": true
   },
   "xml-profiles": [
     {
       "name": "Default",
       "defenseAttributes": {
         "allowDTDs": false,
         "allowExternalReferences": false
       }
     }
   ],
   "json-profiles": [
     {
       "name": "portfolio"
     }
    ],
    "policy-builder-server-technologies": {
        "enableServerTechnologiesDetection": true
    }
  }
}

Tested this on version:

16.0
Comments
forsan
Altostratus
Altostratus

Hi,

how can I deploy this in an alternative partition (not Common)?

Best Regards Andréas

LiefZimmerman
Community Manager
Community Manager

@Valentin_Tobi - is there anything you know of that will address @forsan's question?

Valentin_Tobi
F5 Employee
F5 Employee

@forsan : here's an AS3 declaration that will deploy the WAF policy and the application it protects into Web-Prod partition.

 

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.2.0",
        "id": "Prod_Web_AS3",
        "Web-Prod": {
            "class": "Tenant",
            "defaultRouteDomain": 0,
            "arcadia": {
                "class": "Application",
                "template": "generic",
                "VS_WebApp": {
                    "class": "Service_HTTPS",
                    "remark": "Accepts HTTPS/TLS connections on port 443",
                    "virtualAddresses": ["10.1.10.26"],
                    "redirect80": false,
                    "pool": "pool_NGINX_WebApp",
                    "policyWAF": {
                        "use": "Arcadia_WAF_policy"
                    },
                    "securityLogProfiles": [{
                		"bigip": "/Common/Log all requests"
                	}],
                    "profileTCP": {
			            "egress": "wan",
            			"ingress": { "use": "TCP_Profile" } },
                    "profileHTTP": { "use": "custom_http_profile" },
                    "serverTLS": { "bigip": "/Common/arcadia_client_ssl" }
                },
                "Arcadia_WAF_policy": {
                    "class": "WAF_Policy",
                    "url": "http://10.1.20.4/root/owasp_top10_awaf_policy/-/raw/master/WAF/ansible/bigip/policy.json",
                    "ignoreChanges": true
                },
                "pool_NGINX_WebApp": {
                    "class": "Pool",
                    "monitors": ["http"],
                    "members": [{
                        "servicePort": 8080,
                        "serverAddresses": ["10.1.20.10"]
                    }]
                },
                "custom_http_profile": {
                    "class": "HTTP_Profile",
                    "xForwardedFor": true
                },
                "TCP_Profile": {
        			"class": "TCP_Profile",
        			"idleTimeout": 60 }
            }
        }
    }
}

 

 

forsan
Altostratus
Altostratus

Hi @Valentin_Tobi,

thank you for your help, that worked grate!.

Is it possible to give access to one user to only have Appilcation Security rights to one partition and allowed to send AS3 declarations?

I get the following error when trying this. The same command is working with admin user.

{
"code": 401,
"message": "Authorization failed: user=https://localhost/mgmt/shared/authz/users/api resource=/mgmt/shared/appsvcs/declare verb=POST uri:http://localhost:8100/mgmt/shared/appsvcs/declare referrer:10.0.1.11 sender:10.0.1.11",
"referer": "10.0.1.11",
"restOperationId": 24634210,
"kind": ":resterrorresponse"
}
 
Br Forsan
Version history
Last update:
‎18-Jan-2021 15:25
Updated by:
Contributors