AWAF Path Parameters with OPENAPI json file
Hi, Iam securing a API with a JSON OPENAPI file it mostly works fine however I have two positional parameters used in one url that seems to mask the following paths "/dqm/v1/projects/{customerId}/{pageNumber} &/dqm/v1/projects/projectDetails/{workRequestId}" The result is illegal parameter length violations on a url that is actually valid. the two paths have different operationId headers associated with them Does the WAF use the operationId to match the Path? It appears not as if I delete the operation Id from the api file then the policy matches the correct URL. Any assistance in ubderstanding what is happening and why is appreaciated. Allowed URL's extract from JSON openAPI file /dqm/v1/projects/{customerId}/{pageNumber}: get: tags: - customer-projects-controller operationId: getCustomerProjectsForIdperPage parameters: - name: customerId in: path required: true schema: type: string - name: pageNumber in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/CustomerProjectsResponse' /dqm/v1/projects/projectDetails/{workRequestId}: get: tags: - customer-projects-controller operationId: getProjectDetailswithID parameters: - name: workRequestId in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/ProjectDetailsResponse'
F5 BIG-IP Advanced WAF: OWASP Top 10 Application Security Risks 2021 Compliance Dashboard
Introduction The increase in vulnerabilities and application or API-related attacks exploiting those vulnerabilities has steadily risen. Vulnerabilities like Log4j, and the Log4Shell exploit are spawned and continue to impact many organizations even today. This is where a web application firewall (WAF) solution can protect your apps and APIs. One of the most respected authorities in web application security is the Open Web Application Security Project (OWASP). OWASP is anopen-sourceproject to improve web application security, a coalition of individual contributors and sponsor companies who come together to contribute resources to the project. One of the best-known resources the project delivers is the OWASP Top 10 List. Since web application vulnerability risks change frequently, becoming comparatively more or less critical over time, the OWASP Top 10 List is periodically updated to reflect these changes. The first version of the list was created in 2004, then updated in 2007, 2010, 2013, 2017, and again in 2021 (its most recent version). Figure 1: OWASP Top 10 Web Application Security Risks of 2021 F5 delivers a number of security solutions to help mitigate vulnerabilities in the OWASP categories, and the exploits that are produced from them. To ensure you’re compliant with the OWASP Top 10, F5 BIG-IP Advanced WAF offers a dedicated OWASP compliance dashboard that enables security admins to check how well their policy is set to defend against the OWASP Top 10 and allow organizations to easily reach 100% coverage. The solution makes it simple to modify policies to improve protection from exploit of vulnerabilities in the OWASP Top 10. The compliance dashboard provides a holistic and interactive view that shows the level of mitigation applied by SecOps team against the OWASP Top 10 vulnerability categories. It provides an overall assessment of the policies created and a percentage of how much the policies protect against the various vulnerability categories. The dashboard allows SecOps to increase/adjust the level of protection in real-time based on their needs by deploying pre-defined policies that mitigate the vulnerabilities and their associated exploits. This can be achieved directly from the BIG-IP Advanced WAF’s OWASP Top 10 2021 Dashboard, simplifying protection against known, unknown, and hidden vulnerabilities. Simple, quick, and easy vulnerability and exploit protection, from a single dashboard. Protection Overview Navigating to the OWASP Compliance screen, you can see the list of all the security policies. Clicking on a policy displays the OWASP compliance status for that policy and the coverage for each category. Figure 2: OWASP Compliance screen Expanding a category presents the compliance percentage, a description of that security risk, and the configuration required for full security coverage for this category.Each category is broken down into specific security protections, including positive and negative security controls that can be enabled, disabled, or ignored directly on the dashboard based on your organization’s requirements. Required Attack Signatures: Enforce all the relevant Attack Signatures for this attack type directly from the Dashboard. Required Policy Entities: Add protection configuration components such as Cookies and login Enforcement, data masking, Evasion techniques,detection, methods, URLs, and more relevant configurations for each attack type. In addition to WAF-specific security protections, the OWASP Compliance Dashboard also provides security Best Practices to follow in your processes, such as vulnerability scanning or using trusted repositories. Figure 3: OWASP category A03 Injection – protection and compliance The following video shows how to monitor the compliance coverage of security risks and how to quickly enhance anorganization'ssecurity configuration directly from the dashboard to receive full compliance with protection from OWASP Top 10 vulnerabilities being actively exploited. Conclusion Web applications remain a top target for threats, such as automated attacks, data exfiltration, and vulnerabilities. But F5 can help! Not only can you check off regulatory compliance, but also be able to create reports via the security score relative to deployed policies that addressthe OWASP Top 10, enabling security admins to view each policy’s coverage status, improving protections if necessary, and even allowing security configuration to be performed directly from the dashboard. To learn more, please visit: How to deploy a basic OWASP Top 10 for 2021 compliant declarative WAF policy for BIG-IP K45215395: Guide introduction and contents | Secure against the OWASP Top 10 for 2021 K000135973: Guide Introduction and contents | APIs and the OWASP Top 10 guide (2023) Mitigating OWASP API Security risks using BIG-IP BIG-IP Advanced WAF Webpage Overview of BIG-IP
Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header?
Hello, Can the F5 Advanced WAF protect the JWT token in an HTTP authorization header? My idea is that the F5 can monitor a cookie or parameter from tampering but what about if the a JWT token is used and the client changes the HTTP header with another value that is not a web attack but another stolen JWT token.
ADFS Proxy balancing with LTM and Advanced WAF, without APM
Looking to do a new F5 configuration to load balance and protect with Advanced WAF a pair of existing Office 365 ADFS Proxy servers running the 2019 version. I see that F5 is no longer supporting iApps for Office 365. The new supported configuration seems to be using Guided Configuration. All articles I've found so far, recquire using APM. The 'F5 appliances we can use are running version 15.1.x and don't have APM, only LTM and Advanced WAF. Is there an official supported solution to do ADFS Proxy (version 2019 or later) load balancing with Advanced WAF protecions? If there isn't, should we still use the last version of the iApp Templates instead?BigIP ASM Problems with FileUploads with SOAP
Hi there, actually my ASM Policy is blocking a file upload for one application with the error message: HTTP protocol compliance failed Chunks number exceeds request chunks limit: 1000 I raised the chunks limit blindly from 1000 to 1500 with no success. Where I can see the actually number of chunks without capturing the traffic? After disabling the funktion "Unparsable request content" Upload went through without a problem. But from the notice I would stick this on? Note that disabling this check can result in losing many enforcement features in the ASM. Sametime I get the following syslogs: ASM out of memory error: event code X242 Exceeded maximum memory assigned for XML/JSON processing Cannot allocate 27415074 more bytes for XML parser. current memory size 837505174 (in bytes) As you can see I raised the available memory for XML request from 450MB (default) to nearly the double.
Help with ASM URL wildcard syntax
Hi, I need to create a URL whitelist for a directory structure such as this: /constant-name/constant-name/any-name/any-name/.../.../*.css /constant-name/constant-name/any-name/any-name/.../.../*.pdf /constant-name/constant-name/any-name/any-name/.../.../*.xml So, where it says 'any-name' it's equivilant to wildcard, but I don't know how many subfolders there would be. How would I go about putting it in a the ASM syntax? ThanksF5 blocking my webpage that works as monitor of Sites hosted behing F5
Hi Guys, we recently enable ASM module on F5 in evualtion/learning mode only and we have one website that is hosted behind the F5 lTM . Once the ASM module is activated my customer web site hosted in a different data center in Azure cannot get thought F5. this website acts as a web monitor and every 5 min it is monitoring the site hosted being the F5. I get a blank page which looks like this. My web monitor is doing HTTP web request and sometimes this happens. Ther is no disturbance of the site hosted in LTM pools. In my google Serach it relieves the problem might be in ASM module trying to block. Can you guys provide some pointer how to resolve this issue. <!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta http-equiv="CacheControl" content="no-cache"/> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <link rel="shortcut icon" href="data:;base64,iVBORw0KGgo="/> <script> (function(){ window["bobcmn"] = "11111011101010200000002200000005200000000289895ae4200000096300000000300000000300000006/TSPD/300000008TSPD_101300000005https3000000b0081b93fe10ab20006f0e8f1c61960cb6df13226d973e4b69e019690083a6fd29acdda2b6f1b2f5dd0805bbb5290a280019bbf7f5e3c12d280528f7ff9915458e1d0c71804c667eac9e06aa4ea740e68a5b754f765c6ef008200000000200000000"; Regards Sunil
