Javascript injecting systems effect on web application end users - a scenario review
Hello! ArvinF is back to share a scenario review where Javascript-injecting systems affected web application end users - web and mobile application. Problem Users are failing to login to a web application protected by BIG-IP ASM/Adv WAF and Shape Security Defense. The site owner notes that the authentication was failing for an unknown reason. There were ASM Support ID noted and an error informing to enable Javascript. Please enable JavaScript to view the page’s content. Your support ID is: xxxxxxxxxxxx Troubleshooting To understand the cause of the authentication failure, we gathered HTTP traffic through a HTTP sniffer. We used httpwatch and gathered HAR (HTTP Archive) files. The site was protected with both on-premise BIG-IP ASM/Adv WAF bot defense and back then, Shape Security Defense (now F5 Distributed Cloud Bot Defense). After the review of the HAR file in httpwatch, the following were noted: ASM blocks a request in a URL related to authentication with a Support ID in the response. There was also javascript code included and it references https[:]//s[.]go-mpulse[.]net/boomerang/. The authentication attempt failed with an error in the HTTP response: ...unable to process your request. Please try again later... BIG-IP ASM/Adv WAF related HTTP cookies from its various features such as Bot Defense Client Side challenges as TSPD_101* cookie was present and other TS cookies, which could also come from Bot defense and DoS profile and security policy configurations. There were also HTTP cookies coming from BIG-IP AVR - f5_cspm cookie was present. Application Visibility and Reporting (AVR) module provides detailed charts and graphs to give you more insight into the performance of web applications, with detailed views on HTTP and TCP stats, as well as system performance (CPU, memory, etc.). https://clouddocs.f5.com/training/community/analytics/html/index.html https://clouddocs.f5.com/api/irules/AVR_CSPM_INJECTION.html Seeing the javascript code referencing "/boomerang/" included in the ASM blocking response was interesting. Reviewing the HAR file, there were several instances of this "/boomerang/". This finding was inquired with the site owner and they noted that there is another system that is in the path between the end users and their web application - a CDN. The traffic flow is as follows: End user web browser / mobile application >>> CDN >>> FW >>> BIG-IP >>> web application On the BIG-IP Virtual Server that fronts the web application, F5 AVR profile, ASM/Adv WAF Bot defense, and security policy and Shape Security defense iRule are configured. From the F5 side, these were the products with features that may insert Javascript in the client-side response. As part of troubleshooting, to isolate the feature that might be causing the failing authentication for the web application, the bot defense profile was removed from the site's Virtual Server and the Shape Security iRule and AVR profile were left untouched. Site owner noted that the authentication works after this change. Shape Security Defense was implemented using an iRule to protect specific URIs. When the iRule was removed from the Virtual Server and the Bot defense and AVR profile were left on, the VS, Site owner noted that the authentication works after this change. But if both ASM/Adv WAF Bot defense and Shape Security Defense iRule is configured on the VS, the site's authentication fails. Per the site owner, there were no changes in the Bot Defense or Shape Security Defense iRule configurations prior to the incident and that these configurations were in place way before the incident. Site owners shared the findings with their respective internal teams for their review. Resolution Afterwards, Site owner shared that their site now works as expected and authentication works for the web application with no changes done on both ASM/Adv WAF Bot defense and Shape Security Defense iRule on the site's VS. The cause of the authentication failure was undetermined. A theory on the possible cause of the issue was perhaps, there was another system inserting Javascript code in the responses and it might have affected the authentication process of the web application by prevented that portion of the site from loading. Additional Troubleshooting Notes The data gathered during the troubleshooting were the qkview and HTTPWatch capture - HAR files. It would help if a packet capture was taken along with the HTTPWatch capture while the issue was happening to have a full view of the issue. Decrypt the packet capture to observe HTTP exchanges and to correlate it with HTTPWatch capture events. The corresponding BIG-IP ASM/Adv WAF application event logs, Bot Defense or DoS protection logs will also be helpful in the correlation. Having a visual idea on how the Security Policy, Bot Defense or DoS protection profile are configured is also helpful - so its good to have a screenshot of these. It helps in analysis when there is complete data. Gathering the asmqkview with report and traffic data and corresponding ASM and AVR db dumps helps in the analysis. asmqkview -s0 --add-request-log --include-traffic-data -f /var/tmp/`/bin/hostname`_asmqkview_`date +%Y%m%d%H%M%S`.tgz #mysqldump -uroot -p`perl -I/ts/packages -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` DCC | gzip -9 > /shared/tmp/dcc.dump.gz # mysqldump -uroot -p`perl -I/ts/packages -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` PLC | gzip -9 > /shared/tmp/plc.dump.gz # mysqldump -uroot -p`perl -I/ts/packages -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` PRX | gzip -9 > /shared/tmp/prx.dump.gz # mysqldump -uroot -p`perl -I/ts/packages -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` logdb | gzip -9 > /shared/tmp/logdb.dump.gz It would also help if the systems in the path of the web application are known and whether it has features that may interfere with the features of BIG-IP ASM/Adv WAF or Shape Security Defense. Per the findings, there was a CDN that was injecting javascript code in the HTTP response and it may have contributed to the authentication failure for the end users. Isolate potentially conflicting features by removing one of them one at a time and observe the HTTP responses. Per the reference configuration, BIG-IP ASM/Adv WAF, Shape Security Defense, and BIG-IP AVR worked well prior to the incident. boomerang The injected javascript code noted in the ASM blocking page response was loaded from https[:]//s[.]go-mpulse[.]net/boomerang/. Checking this reference, it was related to https://github.com/akamai/boomerang. boomerang is a JavaScript library that measures the page load time experienced by real users, commonly called RUM (Real User Measurement). It has the ability to send this data back to your server for further analysis. With boomerang, you find out exactly how fast your users think your site is. In BIG-IP, the similar product we have is BIG-IP AVR - Application Visibility and Reporting (AVR) - where it collects "performance of web applications, with detailed views on HTTP and TCP stats, as well as system performance (CPU, memory, etc.)." Organizations may have specific needs on data that they need to collect from their site/web application and using a customizable solution such as boomerang can help. That's It For Now I hope this scenario review on Javascript-injecting systems effect on web application end users will be helpful on your next troubleshooting and hopefully gives you guidance on what data to gather and look for and troubleshooting options. The F5 SIRT creates security-related content posted here in DevCentral, sharing the team’s security mindset and knowledge. Feel free to view the articles that are tagged with the following: F5 SIRT series-F5SIRT-this-week-in-security TWIS
Access Page without resetting the session timer
I'm asking this question with the assumption that F5 is storing some kind of session timer, and resetting it each time the user makes an HTTP request. My application will have it's own session timer, set to be shorter than the F5. This is so I can pause their input progress in a friendly way to tell them they need to reauthenticate before F5's session ends and possibly makes them lose progress on their work. Our server will the the authoritative source of the users session time. The front end javascript will callback to an API on the server to resynchronize it's session time with the server. It will do this on an interval. Based on my assumptions, each one of those synchronize requests would cause the F5 session timer to reset. Since this requested is an automated process and not triggered by a user request, that session timer resetting is an undesirable side effect. Long explanation for a short question: How can I make my resynchronize calls to the server without causing the F5 to reset it's session time. Ideally these requests would still have the users EDIPI in the header. Is this possible?
No CAPTCHA - URL is not yet qualified for challenge injection
Hi, I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when theURL is not yet qualified for challenge injection, but the help also provides no details how to correct this. Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx Thank you
Javascript REST API proxy with HTML UI, nodeJS and iControl module
Problem this snippet solves: 1) Provides browser interface to REST API. 2) Provides an all javascript inclusive app for managing BigIP objects. Enable/Disable/Add/Edit pool members. Only pool members for now. 3) Provides an API proxy via the use of Node.JS . Most scripts require an application or the CLI to launch or to integrate with. This app offers a GUI interface, in many ways similar to the BigIP GUI, rendered by a browser and served by Node. NodeJS connects to the BigIP and creates the dynamic pages which are rendered by browser. With NodeJS coming soon to the BigIP, this app could be installed on and served by the BigIP. How to use this snippet: Uses iControl proxy module from github, https://github.com/thwi/node-icontrol First Install node.js on one of your machines from: https://nodejs.org Next install the icontrol module: npm install icontrol To run this: 1) copy snippet and save to file: e.g. bigip_rest_proxy.js 2) start node: node bigip_rest_proxy.js <<This will start a web server listening on 8080 3) Securely Browse to https://ip_address_of_machine_ running_node:8080 This should work for 11.5 but I have only tested it in 11.6. Also Note that the credentials for the bigip are hard-coded for now. Sorry. To put your own, go ahead and change them inside the 'connect' function, lines 180-181. Code : 61606 Tested this on version: 11.6
What causes the TSbd/TSbp script to be inserted into the source code of a website?
In the source code of the website I work on I see that the script below is being inserted. <script type="text/javascript"> //<![CDATA[ window["_tsbp_"] = { ba : "X-TS-BP-Action", bh : "X-TS-AJAX-Request"}; //]]> </script><script type="text/javascript" src="/TSbd/08300f25d2ab20002940ca95b1a84050e4ba6d156f677a6f2819bde419b59b20e8b36a05eca4b390?type=2"></script> As we have AMP pages on our website which doesn't allow any custom JavaScript we would like to not get this script inserted. However, we are having some problems indentifying what exactly is causing this script to be inserted. We do run the WAF on our F5 and I suspect it's the culprit but I have been unable to confirm this. Also, I've been moving around some elements in the <head> tags and when I specifically move our scripts down to the bottom the TSbd/TSbp script is no longer being inserted. What I would like to know is what triggers the TSbd/TSbp script to be inserted. I am starting to think something on the F5 looks at the first X bytes of the page and then decides whether or not to insert the script. I would also like to know if there is more information about this topic available as I've not been able to find a lot. Maybe I am just not searching for the correct thing.
javascript fails with var is undefined
We use F5 with several upstream servers without SSL termination, and after our application update we faced some strange issues with undefined variables and pending xhr requests. Is there some advices for configuring F5 for slow and big server responses, does tcp-lan-optimized profile suitable for it?
SEC7111 HTTP Security Compromised Generated by a JavaScript.
Hey everyone! I just ran into an issue that I haven't seen before. Let me give you some background: We have a backend web application running only on port 80 and publish this through a standard HTTPS virtual server using only a Client SSL Profile. We have also a HTTP to HTTPS VS to make sure we access the site over HTTPS. Everything is working great except for a specific function on the site. The application is used to handle internal billing and once you are done with entering your details, you can print a report. When working correctly, this should open up the report as a PDF file in a new window. This is when things go south. Apparently there is a JavaScript that helps creating this PDF file. First we get the "Internet Explorer is not showing all of the content". When accepting that we get nothing. When checking the debugging you find this: The JavaScript is generating a URL of http:// when we have an active session running on https:// and security is being jeopardized. When going to the exact URL that reports the error but changing it to https:// it works straight away. So I know what the problem is but I have no idea how to fix it. Long term would be to turn on HTTPS on the back-end server but that will take some time and we need a fix for this quite fast since they cannot print out these reports if they are not in the local office, connecting to the server directly. I tried searching through the JavaScript to see if I can find where it actually uses http:// and just using a Stream Profile change it but I have not found anything. I also tried to add a Stream Profile changing Source: http://[URL] to Target: https://[URL] but that bricked the site. Since the problem is the JavaScript, the browser won't even send the request to the F5. If it were to send the request to the F5 it would hit the iRule and get redirected to HTTPS. Do you guys have any idea?
Feedback requested - WebUI Tweaks Script
Hi! I've added a function to the WebUI script which parses the LTM log and adds a top row with some statistics. Here's an example of what it may look like: Any ideas about what you would appreciate to see in this summary except for the things above? Suggestions are very welcome! Things already on the to-do list are: Expired certificates CPU usage Memory usage Disk usage If you want to see more features or/and try out the script you can find it here: https://devcentral.f5.com/codeshare/webui-tweaks-v12-1109 /PatrikWeb UI Tweaks for version 12
Hi! I've just released the new Web UI Tweaks for v12 in case someone want's to try: https://devcentral.f5.com/codeshare/webui-tweaks-v12-1109 Feedback very much welcome! Here's a list of what it does: Pool improvements Pool list member statuses When the pools contains one available member the status is still green today. This script shows you icons depending on what different statuses a pool contains. If all members are disabled, the color is black. If the pool contains both available and members being down, the circle is half green, half red. Pool details on mouse over Hovering the mouse over a status icon shows the member details: Custom loading screen Got a big partition so the statuses takes a while to load? No problem, the script will let you know when it's finished. Default options when creating a pool Pool name suffix, action on service down, load balancing method, and select node node instead of creating a new one can be pre-populated for you by editing the configuration. Automatically generated monitor tests Test strings for browser, curl and netcat commands are generated automatically for http monitors. iRule improvements Detecting data group lists The when editing an iRule the script will detect the used data group lists and show them on the left hand side. Hovering the mouse over a data group list name will show it's content. Clicking on it will take you to that data group lists configuration form. Data group list improvements No more accidentally deleting data group list records If you use data group lists as much as we do there's a chance that you have encountered this scenario. You need to edit a record, so you click on the "Edit" button, change the entries and then click on update. Ooops, now that record was deleted. Instead, the script would disable the edit button after clicking on it. It won't be enabled again until either after you click add, or when you clear the text in the input fields. Bulk import The script allows you to do bulk edits to your data group lists. Merge the lists: Takes all the records in the import text area, compares them to the active list and imports the records that does not have duplicate keys. This means that if "apple" := "banana" exists in the active list and the import list has "apple" := "banana", then "apple" := "banana" won't be imported. Replace the current list: Takes all the records in the import text area and replaces the active list. Duplicate records are ignored like with "Merge the lists". Edit active list: Moves all the records from the active list to the import list. Client SSL Profile improvements Automatically match SSL Client profile name, certificate and key When creating an SSL profile the script will attempt to find a matching certificate and key according to the name of the profile. So when you click on on the add button in the Client SSL Profile form you'd get everything automatically populated for you (providing that you have configured the default chain in the script). SSL CSR improvements Pre-populated profiles for creating certificate signing requests. Other small things Larger select fields when ie. choosing monitors, editing data group lists. Mark objects in the current partition with bold text to distinguish them from the common partition. Adds a link to the default pool in the virtual server resources configuration page. (Patrik
F5 APM Login Page Reload Attempts Username Evaluation
I am working on a tricky F5 Issue. While trying to port a custom HTML page from Microsoft TMG to F5 BIG-IP APM, I have come across a behavior on the F5 that I would like to mitigate. This particular custom HTML page requires that there is a link that inserts a cookie and reloads the page. This function happens in JavaScript. When the page reloads the F5 logs and entry for Username ''. After 3 reloads APM reaches Max Failed Login Attempts and displays "Your session could not be established." The first question I have is why is authentication attempted before the Form Submit button is pressed? JavaScript, Cookie, Page Reload: When the link is pressed a cookie is inserted and the page a location.reload() is invoked. Cookie Evaluation: The presence of the cookie loads an alternate CSS file, and the location.reload() allows the page to load with the new CSS file. This allows for a different logo and color scheme to be applied. When the link is pressed a 2nd time, the cookie is removed, the page is reloaded, and the default CSS file is applied. Is it possible to prevent the F5 from evaluating form data when the page is reloaded? Would it be possible to redirect the user back to the login page and reset the number of login attempts?
