Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Example OWASP Top 10-compliant declarative WAF policy

Valentin_Tobi
F5 Employee
F5 Employee

on ‎18-Jan-2021 15:25

Problem this snippet solves:

This is an example of a basic declarative BIG-IP WAF policy that is OWASP Top 10-compliant. This policy can be used as a starting point for a production-ready version.

A companion Dev Central article discussing this policy in depth can be found here.

How to use this snippet:

This policy can be deployed through an AS3 declaration to the BIG-IP.

Code :

{
  "policy": {
    "name": "Complete_OWASP_Top_Ten",
    "description": "A basic, OWASP Top 10 protection items v1.0",
    "template": {
      "name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
    },
    "enforcementMode":"transparent",
    "protocolIndependent": true,
    "caseInsensitive": true,
    "general": {
      "trustXff": true
    },
    "signature-settings":{
           "signatureStaging": false,
           "minimumAccuracyForAutoAddedSignatures": "high"
       },
   "blocking-settings": {
     "violations": [
         {
           "alarm": true,
           "block": true,
           "description": "ASM Cookie Hijacking",
           "learn": false,
           "name": "VIOL_ASM_COOKIE_HIJACKING"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Access from disallowed User/Session/IP/Device ID",
           "name": "VIOL_SESSION_AWARENESS"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Modified ASM cookie",
           "learn": true,
           "name": "VIOL_ASM_COOKIE_MODIFIED"
         },
         {
           "name": "VIOL_LOGIN_URL_BYPASSED",
           "alarm": true,
           "block": true,
           "learn": false
         },
         {
           "alarm": true,
           "block": true,
           "description": "XML data does not comply with format settings",
           "learn": true,
           "name": "VIOL_XML_FORMAT"
         },
         {
           "name": "VIOL_FILETYPE",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_VALUE_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_NAME_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         }
     ],
     "evasions": [
       {
         "description": "Bad unescape",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Apache whitespace",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Bare byte decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS Unicode codepoints",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS backslashes",
         "enabled": true,
         "learn": true
       },
       {
         "description": "%u decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Multiple decoding",
         "enabled": true,
         "learn": true,
         "maxDecodingPasses": 3
       },
       {
         "description": "Directory traversals",
         "enabled": true,
         "learn": true
       }
     ]
   },
   "session-tracking": {
     "sessionTrackingConfiguration": {
       "enableTrackingSessionHijackingByDeviceId": true
     }
   },
   "urls": [
       {
         "name": "/trading/auth.php",
         "method": "POST",
         "protocol": "https",
         "type": "explicit"
       },
       {
         "name": "/internal/test.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "isAllowed": false
       },
       {
         "name": "/trading/rest/portfolio.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "urlContentProfiles": [
           {
             "headerName": "Content-Type",
             "headerValue": "text/html",
             "type": "json",
             "contentProfile": {
               "name": "portfolio"
             }
           },
           {
             "headerName": "*",
             "headerValue": "*",
             "type": "do-nothing"
           }
         ]
       }
   ],
   "login-pages": [
       {
         "accessValidation": {
           "headerContains": "302 Found"
         },
         "authenticationType": "form",
         "passwordParameterName": "password",
         "usernameParameterName": "username",
         "url": {
           "name": "/trading/auth.php",
           "method": "POST",
           "protocol": "https",
           "type": "explicit"
         }
       }
   ],
   "login-enforcement": {
     "authenticatedUrls": [
       "/trading/index.php"
     ]
   },
   "brute-force-attack-preventions": [
     {
       "bruteForceProtectionForAllLoginPages": true,
       "leakedCredentialsCriteria": {
         "action": "alarm-and-blocking-page",
         "enabled": true
       }
     }
   ],
   "csrf-protection": {
     "enabled": true
   },
   "csrf-urls": [
     {
       "enforcementAction": "verify-csrf-token",
       "method": "GET",
       "url": "/trading/index.php"
     }
   ],
   "data-guard": {
     "enabled": true
   },
   "xml-profiles": [
     {
       "name": "Default",
       "defenseAttributes": {
         "allowDTDs": false,
         "allowExternalReferences": false
       }
     }
   ],
   "json-profiles": [
     {
       "name": "portfolio"
     }
    ],
    "policy-builder-server-technologies": {
        "enableServerTechnologiesDetection": true
    }
  }
}

Tested this on version:

16.0
Labels:
Comments
forsan
Altostratus
Altostratus
‎10-Jun-2022 06:36

Hi,

how can I deploy this in an alternative partition (not Common)?

Best Regards Andréas

0 Kudos
LiefZimmerman
Community Manager
Community Manager
‎24-Jun-2022 21:46

@Valentin_Tobi - is there anything you know of that will address @forsan's question?

0 Kudos
Valentin_Tobi
F5 Employee
F5 Employee
‎25-Jun-2022 04:03

@forsan : here's an AS3 declaration that will deploy the WAF policy and the application it protects into Web-Prod partition.

 

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.2.0",
        "id": "Prod_Web_AS3",
        "Web-Prod": {
            "class": "Tenant",
            "defaultRouteDomain": 0,
            "arcadia": {
                "class": "Application",
                "template": "generic",
                "VS_WebApp": {
                    "class": "Service_HTTPS",
                    "remark": "Accepts HTTPS/TLS connections on port 443",
                    "virtualAddresses": ["10.1.10.26"],
                    "redirect80": false,
                    "pool": "pool_NGINX_WebApp",
                    "policyWAF": {
                        "use": "Arcadia_WAF_policy"
                    },
                    "securityLogProfiles": [{
                		"bigip": "/Common/Log all requests"
                	}],
                    "profileTCP": {
			            "egress": "wan",
            			"ingress": { "use": "TCP_Profile" } },
                    "profileHTTP": { "use": "custom_http_profile" },
                    "serverTLS": { "bigip": "/Common/arcadia_client_ssl" }
                },
                "Arcadia_WAF_policy": {
                    "class": "WAF_Policy",
                    "url": "http://10.1.20.4/root/owasp_top10_awaf_policy/-/raw/master/WAF/ansible/bigip/policy.json",
                    "ignoreChanges": true
                },
                "pool_NGINX_WebApp": {
                    "class": "Pool",
                    "monitors": ["http"],
                    "members": [{
                        "servicePort": 8080,
                        "serverAddresses": ["10.1.20.10"]
                    }]
                },
                "custom_http_profile": {
                    "class": "HTTP_Profile",
                    "xForwardedFor": true
                },
                "TCP_Profile": {
        			"class": "TCP_Profile",
        			"idleTimeout": 60 }
            }
        }
    }
}

 

 

forsan
Altostratus
Altostratus
‎26-Aug-2022 00:56

Hi @Valentin_Tobi,

thank you for your help, that worked grate!.

Is it possible to give access to one user to only have Appilcation Security rights to one partition and allowed to send AS3 declarations?

I get the following error when trying this. The same command is working with admin user.

{
"code": 401,
"message": "Authorization failed: user=https://localhost/mgmt/shared/authz/users/api resource=/mgmt/shared/appsvcs/declare verb=POST uri:http://localhost:8100/mgmt/shared/appsvcs/declare referrer:10.0.1.11 sender:10.0.1.11",
"referer": "10.0.1.11",
"restOperationId": 24634210,
"kind": ":resterrorresponse"
}
 
Br Forsan
Version history
Last update:
‎18-Jan-2021 15:25
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC