Automation of OWASP Injection mitigation using F5 Distributed Cloud Platform
Objective:
The purpose of this article is to automate F5 Distributed Cloud Platform (F5 XC) detection and mitigation of OWASP TOP 10 Injection attacks and integrating code in GitHub. This article shows how we can use Terraform, Python and Github workflow to provide the flexibility of updating existing infrastructure after every change using CI/CD event triggers.
For more details about this feature please refer: Injection Attack Mitgation Article
Introduction to Injection:
An application is vulnerable to attack when:
- The data provided is not validated by the application
- User requested schema is not being analyzed before processing
- Data is used within search parameters to extract additional and sensitive records
- If a user tries to use Cross-site Scripting to get some unauthorized data
- Some of the common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), Etc.
In this automation article we are trying to bypass password validation in a demo application using SQL Injection code.
Design:
- For the purpose of reusability, I have separated demo application and F5 XC resources deployments in 2 different flows as below.
1. First, we are deploying a demo application (Juice Shop) as a docker container in AWS EC2 machine (if customer already has their application running, they can skip this and use their application public IP directly in below flow)
2. Once the demo app is deployed, we are using application public IP to configure the origin pool, WAF and load balancer in F5 XC - Once demo application and F5 XC resources are deployed successfully, python script is generating login request consisting of malicious SQL Injection. Once traffic is generated, F5 XC platform WAF will detect and block the malicious request.
- Finally, we are destroying the above resources using terraform
Above workflow is integrated using GitHub Actions file which ensures dynamic deployment of the demo app and F5 XC load balancer which can be exposed using public domain name.
Repo code URL: https://github.com/f5devcentral/owasp-injection-mitigation
Conclusion:
In this article we have showed how we can leverage power of CI/CD deployment to automate end to end verification of injection attacks mitigation using GitHub Actions, Terraform and Python developed in a generic way where users can bring up the complete setup within a few clicks.
For further information check the links below: