Mitigating OWASP Web Application Risk: Security Misconfiguration using F5 XC Platform
Overview:
This article is a continuation of the series of articles on mitigation of OWASP Web App Top 10 vulnerabilities using F5 Distributed Cloud platform (F5 XC).
Introduction to OWASP Security Misconfiguration:
Security Misconfiguration is a vulnerability that occurs when security best practices are overlooked allowing attackers to get into the system utilizing the loopholes.
The severity of this risk can be identified by the fact that it moved one step up from 6th position in the previous edition of OWASP top 10 (2017) to 5th position in the current edition (2021).
A4:2017-XML External Entities (XXE), which was previously a separate category of risk, is now a part of security misconfiguration.
Below are a few sample scenarios which highlight that the application might be vulnerable to security misconfiguration:
- Unnecessary features like ports, pages, privileges or services are enabled or installed.
- Default accounts and their passwords remain unchanged.
- Over sharing information while doing error handling.
- Forget to apply security patches.
- Vulnerable to XXE attacks.
Demonstration:
In this demonstration we will see how we can exploit the XXE vulnerability in ‘Mutillidae’ application and later steps to prevent it by using F5 Distributed Cloud Web App and API Protection (WAAP).
Note: Mutillidae is a free and opensource web application that is deliberately designed to be vulnerable and is used for web security training. For more details you can refer OWASP Mutillidae II documentation.
Introduction to XXE (XML eXternal Entity):
XXE attack targets an application that parses XML input. This attack occurs when a weakly configured XML parser processes XML input containing a reference to an external entity.
Step by step process:
In the below steps we will first set the enforcement mode as ‘Monitoring’ in the app firewall policy, perform the attack and observe security event logs. This will give us an idea about the application vulnerability and WAF engine efficiency in detecting the threat, and at a later stage we will set the enforcement mode as ‘Blocking’, to let the WAF engine block any such malicious request in future.
Step1: Create a Load Balancer (LB) in F5 Distributed Cloud console and add the application server as an origin pool member. Refer to F5 Distributed Cloud docs for configuration steps.
Step2: Create a WAF policy with enforcement mode as ‘Monitoring’ and add it to your LB
- Select WAAP service from Distributed Cloud console homepage.
- Navigate to Manage->App Firewall, click ‘Add App Firewall’.
- Enter a name, select ‘Enforcement Mode’ as ‘Monitoring’, click ‘Save & Exit’.
- Navigate to Manage->Load Balancers->HTTP Load Balancer.
- On the right side of your LB click on three dots (ellipsis) and select ‘Manage Configuration’ as an action, click on ‘Edit Configuration’.
- Scroll down, in ‘Security Configuration’, ‘Enable’ WAF (Web Application Firewall) and select the app firewall created. Click ‘Save & Exit’.
Step3: Identify and exploit the XXE vulnerability of the application and monitor the security events logs in Distributed Cloud console.
Note: Among various types of XXE attacks, we have chosen one to retrieve the contents of a file (/etc/passwd) containing information related to the users on the system like username, user id etc. from the server’s file system.
In the above screenshot you can see the XXE attack was successful on the vulnerable application as the enforcement is set to ‘Monitoring’ mode in the app firewall policy.The above screenshot shows identified attack signature details in Distributed Cloud Security Event logs and action upon the request as per the enforcement mode applied in app firewall policy.
Step4: Modify the enforcement mode of the firewall policy to ‘Blocking’
Step5: Repeat Step3.
In the above screenshot you can see the XXE attack signature has been successfully identified and blocked by the Distributed Cloud WAF engine.
The Above screenshot shows identified attack signature details in Distributed Cloud Security Event logs and action upon the request as per the enforcement mode applied in app firewall policy.
Conclusion:
As you can see from the demonstration, the F5 Distributed Cloud WAF engine was able to successfully detect and restrict the attempt to exploit the XXE vulnerability.