Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Mitigating OWASP API Security Risk: Improper Assets Management using F5 XC Platform

Shajiya_Shaik
F5 Employee
F5 Employee

‎16-Mar-2023 05:00 - edited ‎22-Jun-2023 09:04

Overview:  

In the introductory article and subsequent series (overview) we have demonstrated how F5 Distributed Cloud Web App and API Protection (WAAP) has prevented OWASP Top 10 API Security risk categories of 2019 with demonstration. This article is the continuation of this series, demonstrating how to mitigate Improper Assets Management vulnerabilities using F5 Distributed Cloud Platform. 

Introduction to Improper Assets Management:  

A vulnerability that appears when multiple services are left over to an old API version, unprotected, giving access to the attackers to get the sensitive information from the application database. 

Architecture: 

Shajiya_Shaik_0-1677675507802.png

Problem statement: 

Modern applications require fast iteration through the development cycle and sometime old artifacts, such as APIs, are not properly phased out. For example, while the new API (app.service.com/v2) is created, the old API (app.service.com/v1/admin) is deprecated but still available and unprotected by a WAF, provides access to the attacker to get sensitive information of database. 

 

Shajiya_Shaik_2-1677675654829.png

Solution:

In this demonstration, we will see how F5 XC helps to patch the above vulnerability and protect the overlooked, unprotected older versions of APIs (Application Programming Interfaces) from the attackers. 

Mitigation steps using F5 XC: 

Here is the procedure to configure API Protection rules in the load balancer and associate the LB (Load Balancer) to the origin pool (backend application – app.service.com).

  1. Create origin pool 
    Refer pool-creation for more info.
  2. Create http load balancer (LB) and associate the above origin pool to it. 
    Refer LB-creation for more info .
  3. Configure API Protection Rules under load balancer and add the Server URLs and API Groups. 
    Navigate to the load balancer--> API Protection--> configure API Protection Rules.
    Shajiya_Shaik_3-1677675785195.png
    Click on Edit Configuration“ under  Server URLs and API Groups.
    Shajiya_Shaik_4-1677675820918.png
  4. Add an item, give rule name, action, base path. Click on “apply”.
    Shajiya_Shaik_5-1677676036483.png
  5. Click on “Save and Exit” to save the Load Balancer configuration.
  6. Try to access the endpoint through LB domain with v1 version.
    Shajiya_Shaik_6-1677676091659.png
  7. Try to access the endpoint through LB domain with v2 version.
    Shajiya_Shaik_7-1677676205903.pngShajiya_Shaik_8-1677676227304.png
  8. Validate the logs through F5 XC.
    Navigate to WAAP --> Apps & APIs --> Security Dashboard, select your LB and click on ‘Security Event’ tab.

    Shajiya_Shaik_9-1677676313648.png
    Shajiya_Shaik_0-1677742260039.png
    Above screenshot gives the detailed policy information on how F5 XC WAAP is detecting and blocking the attacks based on the configuration under LB --> API Protection Rules --> Base Path.

Conclusion: 

As you can see from the demonstration, the F5 Distributed Cloud WAAP has successfully able to detect and mitigate the vulnerabilities on API endpoints using API protection rules. 

For further information click the links below: 

  1. F5 Distributed Cloud WAAP
  2. F5 Distributed Cloud Services 
  3. OWASP API Security

Labels:
Version history
Last update:
‎22-Jun-2023 09:04
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC