Note: Mutillidae is a free and opensource web application that is deliberately designed to be vulnerable and is used for web security training. For more details you can refer OWASP Mutillidae II documentation.
Introduction to XXE (XML eXternal Entity):
XXE attack targetsan application that parses XML input. This attack occurs when a weakly configured XML parser processes XML input containing a reference to an external entity.
Step by step process:
In the below steps we will first set the enforcement mode as ‘Monitoring’ in the app firewall policy, perform the attack and observe security event logs. This will give us an idea about the application vulnerability and WAF engine efficiency in detecting the threat, and at a later stage we will set the enforcement mode as ‘Blocking’, to let the WAF engine block any such malicious request in future.
Step1: Create a Load Balancer (LB) in F5 Distributed Cloud console and add the application server as an origin pool member. Refer to F5 Distributed Cloud docs for configuration steps.
Step2: Create a WAF policy with enforcement mode as ‘Monitoring’ and add it to your LB
Select WAAP service from Distributed Cloud console homepage.
Navigate to Manage->App Firewall, click ‘Add App Firewall’.
Enter a name, select ‘Enforcement Mode’ as ‘Monitoring’, click ‘Save & Exit’.
Navigate to Manage->Load Balancers->HTTP Load Balancer.
On the right side of your LB click on three dots (ellipsis) and select ‘Manage Configuration’ as an action, click on ‘Edit Configuration’.
Scroll down, in ‘Security Configuration’, ‘Enable’ WAF (Web Application Firewall) and select the app firewall created. Click ‘Save & Exit’.
Step3: Identify andexploit the XXE vulnerability of the application and monitor the security events logs in Distributed Cloud console.
Note: Among various types of XXE attacks, we have chosen one to retrieve the contents of a file (/etc/passwd) containing information related to the users on the system like username, user id etc. from the server’s file system.
In the above screenshot you can see the XXE attack was successful on the vulnerable application as the enforcement is set to ‘Monitoring’ mode in the app firewall policy.The above screenshot shows identified attack signature details in Distributed Cloud Security Event logs and action upon the request as per the enforcement mode applied in app firewall policy.
Step4: Modify the enforcement mode of the firewall policy to ‘Blocking’
Step5: Repeat Step3.
In the above screenshot you can see the XXE attack signature has been successfully identified and blocked by the Distributed Cloud WAF engine.
The Above screenshot shows identified attack signature details in Distributed Cloud Security Event logs and action upon the request as per the enforcement mode applied in app firewall policy.
As you can see from the demonstration, the F5Distributed CloudWAF engine was able to successfully detect and restrict the attempt to exploit the XXE vulnerability.