06-Sep-2022 08:37 - edited 20-Apr-2023 23:27
This article is a continuation of the series of articles on mitigation of OWASP Web App Top 10 vulnerabilities using F5 Distributed Cloud platform (F5 XC).
Security Misconfiguration is a vulnerability that occurs when security best practices are overlooked allowing attackers to get into the system utilizing the loopholes.
The severity of this risk can be identified by the fact that it moved one step up from 6th position in the previous edition of OWASP top 10 (2017) to 5th position in the current edition (2021).
A4:2017-XML External Entities (XXE), which was previously a separate category of risk, is now a part of security misconfiguration.
Below are a few sample scenarios which highlight that the application might be vulnerable to security misconfiguration:
In this demonstration we will see how we can exploit the XXE vulnerability in ‘Mutillidae’ application and later steps to prevent it by using F5 Distributed Cloud Web App and API Protection (WAAP).
Note: Mutillidae is a free and opensource web application that is deliberately designed to be vulnerable and is used for web security training. For more details you can refer OWASP Mutillidae II documentation.
XXE attack targets an application that parses XML input. This attack occurs when a weakly configured XML parser processes XML input containing a reference to an external entity.
In the below steps we will first set the enforcement mode as ‘Monitoring’ in the app firewall policy, perform the attack and observe security event logs. This will give us an idea about the application vulnerability and WAF engine efficiency in detecting the threat, and at a later stage we will set the enforcement mode as ‘Blocking’, to let the WAF engine block any such malicious request in future.
Step1: Create a Load Balancer (LB) in F5 Distributed Cloud console and add the application server as an origin pool member. Refer to F5 Distributed Cloud docs for configuration steps.
Step2: Create a WAF policy with enforcement mode as ‘Monitoring’ and add it to your LB
Step3: Identify and exploit the XXE vulnerability of the application and monitor the security events logs in Distributed Cloud console.
Note: Among various types of XXE attacks, we have chosen one to retrieve the contents of a file (/etc/passwd) containing information related to the users on the system like username, user id etc. from the server’s file system.
Step4: Modify the enforcement mode of the firewall policy to ‘Blocking’
Step5: Repeat Step3.
In the above screenshot you can see the XXE attack signature has been successfully identified and blocked by the Distributed Cloud WAF engine.
As you can see from the demonstration, the F5 Distributed Cloud WAF engine was able to successfully detect and restrict the attempt to exploit the XXE vulnerability.