Mitigating OWASP API Security Risk: Improper Assets Management using F5 XC Platform
Overview:
In the introductory article and subsequent series (overview) we have demonstrated how F5 Distributed Cloud Web App and API Protection (WAAP) has prevented OWASP Top 10 API Security risk categories of 2019 with demonstration. This article is the continuation of this series, demonstrating how to mitigate Improper Assets Management vulnerabilities using F5 Distributed Cloud Platform.
Introduction to Improper Assets Management:
A vulnerability that appears when multiple services are left over to an old API version, unprotected, giving access to the attackers to get the sensitive information from the application database.
Architecture:
Problem statement:
Modern applications require fast iteration through the development cycle and sometime old artifacts, such as APIs, are not properly phased out. For example, while the new API (app.service.com/v2) is created, the old API (app.service.com/v1/admin) is deprecated but still available and unprotected by a WAF, provides access to the attacker to get sensitive information of database.
Solution:
In this demonstration, we will see how F5 XC helps to patch the above vulnerability and protect the overlooked, unprotected older versions of APIs (Application Programming Interfaces) from the attackers.
Mitigation steps using F5 XC:
Here is the procedure to configure API Protection rules in the load balancer and associate the LB (Load Balancer) to the origin pool (backend application – app.service.com).
- Create origin pool
Refer pool-creation for more info. - Create http load balancer (LB) and associate the above origin pool to it.
Refer LB-creation for more info . - Configure API Protection Rules under load balancer and add the Server URLs and API Groups.
Navigate to the load balancer--> API Protection--> configure API Protection Rules.
Click on ”Edit Configuration“ under Server URLs and API Groups. - Add an item, give rule name, action, base path. Click on “apply”.
- Click on “Save and Exit” to save the Load Balancer configuration.
- Try to access the endpoint through LB domain with v1 version.
- Try to access the endpoint through LB domain with v2 version.
- Validate the logs through F5 XC.
Navigate to WAAP --> Apps & APIs --> Security Dashboard, select your LB and click on ‘Security Event’ tab.
Above screenshot gives the detailed policy information on how F5 XC WAAP is detecting and blocking the attacks based on the configuration under LB --> API Protection Rules --> Base Path.
Conclusion:
As you can see from the demonstration, the F5 Distributed Cloud WAAP has successfully able to detect and mitigate the vulnerabilities on API endpoints using API protection rules.
For further information click the links below: