Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Overview: 

This article is the last part in a series of articles on mitigation of OWASP Web Application vulnerabilities using F5 Distributed Cloud platform (F5 XC). 

Introduction to Insecure Design: 

In an effort to speed up the development cycle, some phases might be reduced in scope which leads to give chance for many vulnerabilities. To focus the risks which are been ignored from design to deployment phases, a new category of “Insecure Design” is added under OWASP Web Application Top 10 2021 list. Insecure Design represents the weaknesses i.e. lack of security controls which are been integrated to the website/application throughout the development cycle. 

If we do not have any security controls to defend the specific attacks, Insecure Design cannot be fixed by any perfect implementation while at the same time a secure design can still have an implementation flaw which leads to vulnerabilities that may be exploited. Hence the attackers will get vast scope to leverage the vulnerabilities created by the insecure design principles.

Here are the multiple scenarios which comes under insecure design vulnerabilities.

• Credential Leak
• Authentication Bypass
• Injection vulnerabilities
• Scalper bots etc.

In this article we will see how F5 XC platform helps to mitigate the scalper bot scenario.

What is Scalper Bot:

In the e-commerce industry, Scalping is a process which always leads to denial of inventory. Especially, online scalping uses bots nothing but the automated scripts which will check the product availability periodically (in seconds), add the items to the cart and checkout the products in bulk. Hence the genuine users will not get a fair chance to grab the deals or discounts given by the website or company. Alternatively, attackers use these scalper bots to abandon the items added to the cart later, causing losses to the business as well. 

Demonstration:

In this demonstration, we are using an open-source application “Online Boutique” (refer boutique-repo) which will provide end to end online shopping cart facility. Legitimate customer can add any product of their choice to the cart and checkout the order.

Customer Page:

Scalper bot with automation script:

The below automation script will add products in bulk into the cart of the e-commerce application and place the order successfully.

import requests
import random
# List of User-Agents
USER_AGENTS = [
    "sqlmap/1.5.2",  # Automated SQL injection tool
    "Nikto/2.1.6",  # Nikto vulnerability scanner
    "nmap",  # Network mapper used in reconnaissance
    "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",  # Spoofed Search Engine Bot
    "php",  # PHP Command Line Tool
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",  # Old Internet Explorer (suspicious outdated)
    "libwww-perl/6.36",  # Perl-based automation, often found in attacks or scrapers
    "wget/1.20.3",  # Automation tool for downloading files or making requests
    "Python-requests/2.26.0",  # Python automation library
]

# Function to select a random User-Agent
def get_random_user_agent():
    return random.choice(USER_AGENTS)

# Base URL of the API
BASE_URL = "https://insecure-design.f5-hyd-xcdemo.com"

# Perform the API request to add products to the cart
def add_to_cart(product_id, quantity):
    url = f"{BASE_URL}/cart"
    headers = {
        "User-Agent": get_random_user_agent(),  # Random User-Agent
        "Content-Type": "application/x-www-form-urlencoded"
    }
    payload = {
        "product_id": product_id,
        "quantity": quantity
    }
    # Send POST request with cookies included
    response = requests.post(url, headers=headers, data=payload)
    if response.status_code == 200:
        print(f"Successfully added {quantity} to cart!")
    else:
        print(f"Failed to add to cart. Status Code: {response.status_code}, Response: {response.text}")
    return response

# Perform the API request to place an order
def place_order():
    url = f"{BASE_URL}/cart/checkout"
    headers = {
        "User-Agent": get_random_user_agent(),  # Random User-Agent
        "Content-Type": "application/x-www-form-urlencoded"
    }
    payload = {
        "email": "someone@example.com",
        "street_address": "1600 Amphitheatre Parkway",
        "zip_code": "94043",
        "city": "Mountain View",
        "state": "CA",
        "country": "United States",
        "credit_card_number": "4432801561520454",
        "credit_card_expiration_month": "1",
        "credit_card_expiration_year": "2026",
        "credit_card_cvv": "672"
    }
    # Send POST request with cookies included
    response = requests.post(url, headers=headers, data=payload)
    if response.status_code == 200:
        print("Order placed successfully!")
    else:
        print(f"Failed to place order. Status Code: {response.status_code}, Response: {response.text}")
    return response

# Main function to execute the API requests
def main():
    # Add product to cart
    product_id = "OLJCESPC7Z"
    quantity = 10
    print("Adding product to cart...")
    add_to_cart_response = add_to_cart(product_id, quantity)
    # If the add_to_cart request is successful, proceed to checkout
    if add_to_cart_response.status_code == 200:
        print("Placing order...")
        place_order()

# Run the main function
if __name__ == "__main__":
    main()

To mitigate this problem, F5 XC is providing the feasibility of identifying and blocking these bots based on the configuration provided under HTTP load balancer.

Here is the procedure to configure the bot defense with mitigation action ‘block’ in the load balancer and associate the backend application nothing but ‘evershop’ as the origin pool.

1. Create origin pool
   Refer pool-creation for more info
2. Create http load balancer (LB) and associate the above origin pool to it.
   Refer LB-creation for more info
3. Configure bot defense on the load balancer and add the policy with mitigation action as ‘block’. 
   
4. Click on “Save and Exit” to save the Load Balancer configuration.
5. Run the automation script by providing the LB domain details to exploit the items in the application.

    

6. Validating the product availability for the genuine user manually.

    

7. Monitor the logs through F5 XC, Navigate to WAAP --> Apps & APIs --> Security Dashboard, select your LB and click on ‘Security Event’ tab.

   The above screenshot gives the detailed info on the blocked attack along with the mitigation action.

Conclusion:

As you have seen from the demonstration, F5 Distributed Cloud WAAP (Web Application and API Protection) has detected the scalpers with the bot defense configuration applied on the Load balancer and mitigated the exploits of scalper bots. It also provides the mitigation action of “_allow_”, “_redirect_” along with “_block_”. Please refer link for more info.

Reference links:

1. OWASP Top 10 - 2021 
2. Overview of OWASP Web Application Top 10 2021  
3. F5 Distributed Cloud Services  
4. F5 Distributed Cloud Platform
5. Authentication Bypass
6. Injection vulnerabilities