In my Part 1 post, I have introduced you to the fast and efficient way of deploying robust baseline application security policy in front of a real application using F5’s WAF product called BIG-IP Application Security Manager(ASM), and shared with you the real-world findings of how the deployment of my security policy in blocking mode provided significant security value by preventing various malicious requests from reaching the backend server.
Today,I want to do a quick illustration of how the same policy deployment helped protect against a 0-day attack. In this example, we’re going to talk about the most recent Apache Struts vulnerability. Apache Struts had a number of high-profile vulnerabilities discovered in the last few years. It appears that F5 first covered it back in 2014, almost exactly 3 years ago. Then another critical remote code execution vulnerability was discovered in March of this year, and F5 security researcher Gal Goldstein has covered details and ASM mitigation steps. And on July 7th, yet another remote code execution Struts 2 vulnerability advisory was released.
Fortunately, a properly deployed ASM policy often protects against these zero-day vulnerabilities, and Gal Goldstein has posted an article describing how ASM offers 0-day protection. And while I hope you trust our researcher’s findings, the question of the day is - have you been attacked?
This is where I looked at the ASM logs in front of my application I deployed a few weeks ago, and the answer is - you bet!
Here’s a screenshot of my ASM log that filtered on the word struts in the URI:
As you can see, I ran this report on July 9th - just a couple days after the Struts vulnerability was announced. The number highlighted in the top right-hand corner indicates that there has been 141 requests made against my tiny unadvertised site that were blocked as Struts vulnerability exploits. The screenshot of the latest illegal request shows the depth and breadth of security that my policy provided against this latest vulnerability.
First, as I highlighted in my Part 1 post, the policy blocked the request because the IP address being present in the Host header. This underscores that even if the proper signatures or evasion techniques did not exist in my policy to detect this exploit, this request would’ve still been blocked as illegal due to this enforcement. Then there is another HTTP compliance violation that you can observe as highlighted in red - the Content-Type header malformed format.
But it certainly gets better after this. The entire payload triggered 11 different ASM signatures. You may wonder why that is the case? The reason is that it takes a number of different hacking techniques to actually exploit this vulnerability - and while you only really need to detect one to stop the attack, the total number shows us how sophisticated the exploit requests are as they leverage a combination of hacking techniques and vulnerabilities to exploit this latest one.
However, since the title of my series is “Realizing value from a WAF in front of your application”, I would like to showcase a bit of the economic implications. In September of 2016, news broke of a college student Ryan Pickren who earned 15 million frequent flyer miles from United Airlines by participating in their Bug bounty program. United has various payouts to security researchers who report various vulnerabilities found in its public-facing sites. While the details of bugs/issues discovered under the bug bounty program remain confidential, one can probably deduce that it’s very likely that Pickren has collected 15 million miles by uncovering highest-value issues that pay 1 million miles each. United classifies remote code vulnerability - same category class as the Struts 2 vulnerability we just discussed - as one of the highest payouts that quality for 1 million miles. So we could make a reasonable conclusion that Pickren has discovered 15 remote code execution issues. What was the cost to United? They value each mile at $0.02, so Pickren collected(and United expensed) $300,000 value. And of course, Pickren is not the only researcher who collected million mile payouts from United - there are others as well. A WAF should definitely cost less.