Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Mitigation of OWASP Web Application: Cryptographic Failures using F5 Distributed Cloud Platform

Janibasha
F5 Employee
F5 Employee

‎14-Aug-2022 18:00 - edited ‎19-Apr-2023 03:41

Introduction to OWASP: 

Introduction article covered details of OWASP and 3 more articles in sequence covered Injection, broken access and authentication failures (check reference links for more details). This 4th article is in continuation of the series and will cover Cryptographic Failures. 

 

Introduction to Cryptographic Failures: 

In 2017 this attack is known as Sensitive Data Exposure, which focuses on failures related to cryptography which often lead to exposure of sensitive data.   

For this demo we are using OWASP Juice Shop as a vulnerable application which is exposing some files in ftp server location as below.

crypto1.JPG

This website has file type limitations kept in place to restrict users from downloading only .md/,pdf files. For example, let’s say we have a file with the name eastere.gg file which has some sensitive details and when we try to download directly, we get 403 error as below: 

crypto2.JPG

Step by step testing process:  

Step1:

Please follow the suggested steps here to configure HTTP load balancer and WAF in cloud console. Make sure WAF is configured in Monitoring mode only to analyze the attack.

Step2:  

Hackers can find a way to bypass this file cryptographic restriction. For example, as shown below we can intercept the outgoing request using burp suite and just by adding null byte to the filename we are able to download the file (%2500.md is a null byte which is equal to empty space in cryptography). 

crypto3.JPG

crypto4.JPG

 

Prevention: 

Below are some of the best practices suggested to prevent this attack: 

  • Identify which data is sensitive according to regulatory requirements, or business needs. 
  • Don't store sensitive data unnecessarily.  
  • Make sure to encrypt all sensitive data at rest. 
  • Disable caching for responses that contain sensitive data. 
  • Apply required security controls as per the data classification. 
  • Do not use legacy protocols such as FTP and SMTP for transporting sensitive data. 
  • Store passwords using strong hashing algorithms. 
  • Always use authenticated encryption instead of just encryption. 
  • Avoid deprecated cryptographic functions and schemes, such as MD5, SHA1, etc. 

 

Mitigation using F5 Distributed Cloud Services: 

  1. To mitigate these attacks, navigate to Firewall section and in “App Firewall” configuration make sure “Enforcement Mode” is set to “Blocking” as below: 
    crypto5.JPG
  2. Next in browser try to generate above scenarios and validate your request is blocked as below.  
    crypto6.JPG
  3. In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why request was blocked. 
    crypto7.JPG

 

Conclusion:  

As shown above, these types of cryptographic failures can be mitigated by configuring WAF on load balancer thereby preventing sensitive data exposure. 

 

For further information click the links below: 

  1. OWASP - Cryptographic Failures
  2. Mitigation OWASP - Authentication Failures using F5 XC
  3. Mitigating OWASP Top 10 2021: A01 Broken Access attacks 
Labels:
Version history
Last update:
‎19-Apr-2023 03:41
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC