Example OWASP Top 10-compliant declarative WAF policy

Problem this snippet solves:

This is an example of a basic declarative BIG-IP WAF policy that is OWASP Top 10-compliant. This policy can be used as a starting point for a production-ready version.

A companion Dev Central article discussing this policy in depth can be found here.

How to use this snippet:

This policy can be deployed through an AS3 declaration to the BIG-IP.

Code :

{
  "policy": {
    "name": "Complete_OWASP_Top_Ten",
    "description": "A basic, OWASP Top 10 protection items v1.0",
    "template": {
      "name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
    },
    "enforcementMode":"transparent",
    "protocolIndependent": true,
    "caseInsensitive": true,
    "general": {
      "trustXff": true
    },
    "signature-settings":{
           "signatureStaging": false,
           "minimumAccuracyForAutoAddedSignatures": "high"
       },
   "blocking-settings": {
     "violations": [
         {
           "alarm": true,
           "block": true,
           "description": "ASM Cookie Hijacking",
           "learn": false,
           "name": "VIOL_ASM_COOKIE_HIJACKING"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Access from disallowed User/Session/IP/Device ID",
           "name": "VIOL_SESSION_AWARENESS"
         },
         {
           "alarm": true,
           "block": true,
           "description": "Modified ASM cookie",
           "learn": true,
           "name": "VIOL_ASM_COOKIE_MODIFIED"
         },
         {
           "name": "VIOL_LOGIN_URL_BYPASSED",
           "alarm": true,
           "block": true,
           "learn": false
         },
         {
           "alarm": true,
           "block": true,
           "description": "XML data does not comply with format settings",
           "learn": true,
           "name": "VIOL_XML_FORMAT"
         },
         {
           "name": "VIOL_FILETYPE",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_URL_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_VALUE_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         },
         {
           "name": "VIOL_PARAMETER_NAME_METACHAR",
           "alarm": true,
           "block": true,
           "learn": true
         }
     ],
     "evasions": [
       {
         "description": "Bad unescape",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Apache whitespace",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Bare byte decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS Unicode codepoints",
         "enabled": true,
         "learn": true
       },
       {
         "description": "IIS backslashes",
         "enabled": true,
         "learn": true
       },
       {
         "description": "%u decoding",
         "enabled": true,
         "learn": true
       },
       {
         "description": "Multiple decoding",
         "enabled": true,
         "learn": true,
         "maxDecodingPasses": 3
       },
       {
         "description": "Directory traversals",
         "enabled": true,
         "learn": true
       }
     ]
   },
   "session-tracking": {
     "sessionTrackingConfiguration": {
       "enableTrackingSessionHijackingByDeviceId": true
     }
   },
   "urls": [
       {
         "name": "/trading/auth.php",
         "method": "POST",
         "protocol": "https",
         "type": "explicit"
       },
       {
         "name": "/internal/test.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "isAllowed": false
       },
       {
         "name": "/trading/rest/portfolio.php",
         "method": "GET",
         "protocol": "https",
         "type": "explicit",
         "urlContentProfiles": [
           {
             "headerName": "Content-Type",
             "headerValue": "text/html",
             "type": "json",
             "contentProfile": {
               "name": "portfolio"
             }
           },
           {
             "headerName": "*",
             "headerValue": "*",
             "type": "do-nothing"
           }
         ]
       }
   ],
   "login-pages": [
       {
         "accessValidation": {
           "headerContains": "302 Found"
         },
         "authenticationType": "form",
         "passwordParameterName": "password",
         "usernameParameterName": "username",
         "url": {
           "name": "/trading/auth.php",
           "method": "POST",
           "protocol": "https",
           "type": "explicit"
         }
       }
   ],
   "login-enforcement": {
     "authenticatedUrls": [
       "/trading/index.php"
     ]
   },
   "brute-force-attack-preventions": [
     {
       "bruteForceProtectionForAllLoginPages": true,
       "leakedCredentialsCriteria": {
         "action": "alarm-and-blocking-page",
         "enabled": true
       }
     }
   ],
   "csrf-protection": {
     "enabled": true
   },
   "csrf-urls": [
     {
       "enforcementAction": "verify-csrf-token",
       "method": "GET",
       "url": "/trading/index.php"
     }
   ],
   "data-guard": {
     "enabled": true
   },
   "xml-profiles": [
     {
       "name": "Default",
       "defenseAttributes": {
         "allowDTDs": false,
         "allowExternalReferences": false
       }
     }
   ],
   "json-profiles": [
     {
       "name": "portfolio"
     }
    ],
    "policy-builder-server-technologies": {
        "enableServerTechnologiesDetection": true
    }
  }
}

Tested this on version:

16.0
Published Jan 18, 2021
Version 1.0
ASM Advanced WAF
BIG-IP
OWASP Top 10
OWASP-App-Security
security

Was this article helpful?

4 Comments

Sort By
  • Valentin_Tobi's avatar
    Valentin_Tobi
    Icon for Employee rankEmployee
    Jun 25, 2022

    forsan : here's an AS3 declaration that will deploy the WAF policy and the application it protects into Web-Prod partition.

     

    {
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.2.0",
        "id": "Prod_Web_AS3",
        "Web-Prod": {
            "class": "Tenant",
            "defaultRouteDomain": 0,
            "arcadia": {
                "class": "Application",
                "template": "generic",
                "VS_WebApp": {
                    "class": "Service_HTTPS",
                    "remark": "Accepts HTTPS/TLS connections on port 443",
                    "virtualAddresses": ["10.1.10.26"],
                    "redirect80": false,
                    "pool": "pool_NGINX_WebApp",
                    "policyWAF": {
                        "use": "Arcadia_WAF_policy"
                    },
                    "securityLogProfiles": [{
                		"bigip": "/Common/Log all requests"
                	}],
                    "profileTCP": {
			            "egress": "wan",
            			"ingress": { "use": "TCP_Profile" } },
                    "profileHTTP": { "use": "custom_http_profile" },
                    "serverTLS": { "bigip": "/Common/arcadia_client_ssl" }
                },
                "Arcadia_WAF_policy": {
                    "class": "WAF_Policy",
                    "url": "http://10.1.20.4/root/owasp_top10_awaf_policy/-/raw/master/WAF/ansible/bigip/policy.json",
                    "ignoreChanges": true
                },
                "pool_NGINX_WebApp": {
                    "class": "Pool",
                    "monitors": ["http"],
                    "members": [{
                        "servicePort": 8080,
                        "serverAddresses": ["10.1.20.10"]
                    }]
                },
                "custom_http_profile": {
                    "class": "HTTP_Profile",
                    "xForwardedFor": true
                },
                "TCP_Profile": {
        			"class": "TCP_Profile",
        			"idleTimeout": 60 }
            }
        }
    }
}

     

     

  • forsan's avatar
    forsan
    Icon for Altostratus rankAltostratus
    Aug 26, 2022

    Hi Valentin_Tobi,

    thank you for your help, that worked grate!.

    Is it possible to give access to one user to only have Appilcation Security rights to one partition and allowed to send AS3 declarations?

    I get the following error when trying this. The same command is working with admin user.

    {
    "code": 401,
    "message": "Authorization failed: user=https://localhost/mgmt/shared/authz/users/api resource=/mgmt/shared/appsvcs/declare verb=POST uri:http://localhost:8100/mgmt/shared/appsvcs/declare referrer:10.0.1.11 sender:10.0.1.11",
    "referer": "10.0.1.11",
    "restOperationId": 24634210,
    "kind": ":resterrorresponse"
    }
     
    Br Forsan
  • forsan's avatar
    forsan
    Icon for Altostratus rankAltostratus
    Jun 10, 2022

    Hi,

    how can I deploy this in an alternative partition (not Common)?

    Best Regards Andréas