cancel
Showing results for 
Search instead for 
Did you mean: 

anti-defacement

Amit585731
Nimbostratus
Nimbostratus

Hi,

 

We are comparing ASM with Fortiweb and Secure sphere and wanted to understand if ASM or AWAF can support anti defacement? I couldn't find any article on F5.

 

Thank You for help.

 

4 REPLIES 4

samstep
MVP
MVP

defacement attacks are usually executed by exploiting either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) attacks - both can be detected and blocked by ASM. In other words - in order to deface a website the hackers first have to exploit a vulnerability hack into your web application / web server and replace the website contents in CMS or upload and change files on the webserver.

 

Fortiweb offering a specific anti-defacement services by monitoring the contents of the website - this is not really practical for many modern web applications as the website content changes all the time, however in ASM you can use Data Guard to monitor data leakage for specific keywords to achieve extra monitoring and blocking for defacement (provided hackers manage to break into your website protected by F5 ASM WAF)

 

James_Rey
Nimbostratus
Nimbostratus

Hi Samstep,

 

Basically their Anti Web Defacement prevents all changes from Web servers either it is from a trusted(Developers) or untrusted. If someone changes it, Fortiweb have a backup of all files in the folder it is protecting and restore it the original state. If a developer needs to change or update the webserver, Fortiweb can allow changes for specific timeframe and blocks it again when it expires.

 

I believe F5 doesn’t have this kind of feature, but I think we should focus on what AntiWeb Defacement of Fortiweb resolves and what is the equivalent process of F5 to achieve the same goal. Can you suggest what can be our approach on this?

 

Akhtar
Nimbostratus
Nimbostratus

Hi,

 

You may get hash of each individual landing pages and apply iRule something like following to see if the page in response has the same hash before sending it over to the client.

 

 

var HASH = hash of the original page

 

 

when HTTP_RESPONSE {

if {[class match [b64encode [CRYPTO::hash -alg sha384 [HTTP::header]]] equals HASH ]}

{

 

   }

else

HTTP::collect

reject

}

 

 

Hello, 

I see this solution not same with anti-defacement feature on FortiWeb.

You can research on this link: Anti-defacement (fortinet.com)

If we use the HASH, this case only protect web page when send it to the client. But this feature to protect web page content on the server.

Thanks,