Chapter 9 ~ Cookies and Other Headers 9-1 Chapter 9: Cookies and Other Headers Chapter Objectives After completing this chapter, you will be able to: Define the purpose of the Main ASM (T'S) cookie Define Allowed and Enforced Cookies Configure Security Processing on HTTP Headers Configure an application security policy to protect against both cookie and HTTP header tampering _ASM Cookies: What to Enforce ASM uses two primary types of proprietary cookies to prevent various forms of cookie tampering, to force uscr sessions and login pages, and to distinguish between human and non-human clients for web scraping and pro-active bot defense. The table Below lists these two main cookies and what they protect, Main ASM (TS) Cookie ____| ASM Frame Cookie eats * Validates domain cookies (set by |» Enforced flows (URL navigation through the application) application) + Detects session expiration ‘+ Dynamic parameters (protected name/value pairs) © Enforces other ASM-proprietary ‘+ Extraction/protection of dynamic parameter data ‘cookies used for the following purposes: * Brute force protection + Login page enforcement ‘+ Web scraping protection + Gross-site Request Forgery protection + Pro-active bot defense + _ Flow frame cookies enforcement In this chapter, we will examine the Main ASM (T'S) cookie. The flow frame cookie is discussed in the advanced parameter handling chapter. ASM Cookies: Protecting Domain Cookies Many web applications set cookies for user tracking, shopping cart functionality, and other reasons ‘aimed the ere crporos, In may ease donna THis attached to re Set. Coole command in an HTTP response from the application. Browsers then send the cookie back to the web server for all requests which must comply with the defined domain. Configuring BIG-IP ASM v13 ot9-2 Chapter 9 - Cookies and Other Headers Here isa simple example: Set-Cookie: SMCHALLENGE=YES; path=/; dom: ibe.com; secure; HTTPOnly Ifthe Set-Cookie header is present, ASM will perform a hash on the cookie, and insert the hash value into its own TS cookie, which is named TS_xxxxxx. Thus, ASM generates its own cookie, in the response, specific to domain .abc.com—in addition to any possible different domain/path combinations presented in cookies set by the server. Ifcither the cookie set by the Lr | application or the cookie inserted into the response by ASM is tampered with, a violation will be triggered. ASM validates its own cookies by signing cach one with an MDS digest and enforcing matches between cookies using a proprictary message key. The TS cookie also detects session signs expiration, oo The second type of ASM-sct cookie is\ the flow frame cookic—of which there areiwo varations—a low frame for) enforcing flows between URLS, and a_/ Figure 1: The TS cookie validates domain cookies set by the dynamic content value type for storing” @Pptication ‘dynamic values from protected parameters. Main ASM (TS) Cookie Structure ‘The Main ASM (TS) cookie name structure (TS_xxxxxx) consists of six characters that are a hexadecimal representation of the security policy name. The example below is a generic representation of the TS ‘Cookie structure. ‘Signature Message Key Time Stamp Cookie Name/Value 32 bytes 16 bytes B bytes pairs 16 bytes each Signature: MDS hash of the remainder of the cookie Message Key: A randomized byte sequence which connects the TS cooki in the request. ‘Time Stamp: Indicates when the cookie was created. It can be used to verify that cookies are not too old. Additionally, it can work with the Message Key to verify the age of any frame cookies—if any are in use. Cookie Name/Value pairs: For each set cookie command ASM detects from the application, a pair of 8 byte values is ereated—one for the name and another for the value. any other ASM cookies 9-2 Configuring BIG-IP ASM v13BHRESSS Chapter 9 — Cookies and Other Headers 9-3 Defining Allowed and Enforced Cookies — 4 2 ASM assigns two attributes for cookies: Allowed and Enforced. ‘The Allowed attribute is used for cookies that ASM knows or recognizes as cookies which can be modified externally. These might be persistent cookies sct by the application, single sign on cookies, and other legitimately modified cookies. When ASM receives a cookie which was set as “Allow”, ASM will ignore it and a violation will not be triggered. Allowed cookies can be of two types: Explicit and Wildcard. Explicit lets you input the eeokic name.cxactly as it appears in the request. Wildcard allows ‘you to match and Jearn.the pattem of the expected cookie. ‘The Enforced attribute is used for cookies that ASM signs which should not be modified on the elient side. Consider a session cookie set by an application. This is usually the type of cookie that should be “enforced, Ifa cookie with the attribute “Enforced Cookie” is modified on the client side, ASM will trigger the violation “Modified Domain Cookie”. Staging still applies. Even if a cookie appears in the Enforced Cookies list, it can still be in staging, and-a-cookic violation will not result in a blocked request if the policy is also in blocking mode. IFASM receives a cookie which wasn’t set with the Allowed or Enforced attribute, itis an unknown cookie and therefore an unwanted cookie, and it will trigger a Modified Domain Cookie violation “ookie List allows you to configure the security policy to allow certain cookies included in the request. This can be done by inserting the name of the known cookie or by adding it from the learning sercen. When you create a security policy that includes cookies, ASM adds new cookies (or suggests that you add them) io the security policy (or not) based on the Learn New Cookies value of the matched wildcard. The value assigned to the wildcard can be Never (Wildcard Only) which will not add explicit cookies, or Selective, which will prompt you to add an explicit cookie. ‘The default value of the learning scheme differs depending on the deployment scenario you usc to create the policy. The following deployment workflows create pure wildcard cookies using the Selective learning scheme. ‘+ Rapid Deployment policy building with Fundamental policy type Consequently, ASM adds (if building the policy automatically) or suggests that you add (if building the policy manually) explicit cookies encountered in the traffic to the security policy. For example, you could start by having the wildcard sct to Selective in the allowed cookies, get a list of all the co ‘that your ‘web application uses, then move them to the enforced list. This would make it easier to add the cookies that your web application uses and that you want to enforce in the security policy. ‘The Vulnerability Assessment Bascline workflow creates the wildcard cookie with Learn New Cookies set to Never (wildcard only). Configuring BIG-IP ASM v13 939-4 Chapter 9 - Cookies and Other Headers Configuring Security Processing on HTTP ‘Headers ASM allows you to configure various types of enforcement on HTTP headers, such as defining a header ‘as mandatory, meaning it must appear in requests, applying attack signatures, and performing of normalization on strings within the header itself formalization ue prucess of buffering the conter request headers to change.them into a standard format that can be more casily checked for discrepancies and to ensure RFC compliance and other clements of negative sccutity. _-Why normalization on headers is important Normalizing deals with special characters (such as percent encoding), non-ASCII text, URL paths and parameters, Base64 encoded binary content, non-printable characters, HTML codes, and many other formats that may be used in headers that could potentially hide malicious code. Consider this URL: hittp:/Awww.auction.com/user accounts/index.php. Notice that in this URL, a space exists in the path for user accounts. This is a valid structure on the web server, therefore it is a required part of the URI Web servers receive requests that are “URL encoded” which means that any special characters in a string have been translated into a form that the web server accepts. Reserved characters (S, &), unsafe characters (» Virtual Servers : Virtual Server List, and then click asm_ys. 3. From the Seeurity tab, select Policies. 4, From the Policy menu select your lab_9_cookie policy. 5. Ensure that you are logging all requests, and then click Update.i B a a BRSBSS & BHEE& Change Policy Learning Mode to Manual 6, Goto Security » Application Security : Policy Building : Learning and Blocking Settings. 7. Inthe General Settings section, change the Learning Mode to Manual. 8. Click Save and then Apply Policy. Generate a Learning Suggestion By default, policies configured to lear manually build the list of learned cookies by adding them via the cookie wildcard. We have not specified an explicit cookie yet for this policy. 9. Goto Security » Application Security : Headers : Cookies List, and then click the Allowed Cookies tab. 10, Ensure that you are editing your lab_9_cookie policy. 11. Note that the wildcard is present. ‘The auction site uses a cookie named SESSION which we can track using ASM. However, itis likely that your web browser has already cached SESSION due to previous interaction with the application. 12. Ifyou have an existing browser session open to the auction site, delete all browser cookies and restart the browser to ensure that all auction site cookies are cleared. 13, Go to the home page (/index.php) page of the auction site, 14, In ASM, go to the Traffic Learning page. 1 16. Do you see a learning suggestion for Enforee Cookie? What is the Action of the leaning suggestion? It should result in an enforced cookie. . Ensure that the Current edited poliey is your lab_9_cookie policy. Let's accept the cookie into the security policy, but keep 17, Click Accept suggestion and enable staging on Matched Cookie, and then click Apply Policy. 18, Navigate to Security »» Application Security: Headers : Cookies List. 19, The SESSION cookie should appear in the Emforeed Cookies list. What is its staging status? What is the Enforcement Mode of the policy? At this stage in policy building, what should ‘happen to a request that tampers with the SESSION cookie? Tamper With the SESSION Cookie 20, Start Fiddler. 21. In Fiddler, go to Rules, Automatic Breakpoints, and then select Before Requests (F11). in staging. 22. Go back to the auction site, and click on a link to create traffic. 23. In the left pane of Fiddler, select the most reeent session ereated by your latest activity. 24. In the right pane of Fiddler, select the Inspectors tab, and then right-click the Request Header with the SESSION cookie in it. 25, Select Edit Header and then modify the SESSION cookie. 26. Click Save.27. Click Run to Completion. 28, In Fiddler, go to Rules, Automatic Breakpoints, and then select Disabled. (This allows you to resume browser activity un-interrupted by Fiddler.) 29, Go back to ASM and check the Traffic Learning page. There should be a Modified domain cookie(s) violation, 30. Select the HTTP request in the center section. [Wate emt eet | ‘peters re SEE ewe | teem: | ree mei, @ meme ean om PTA nemp & a aaa ok 31. In the revealed section on the right, locate the name and value of the cookie that was modified. 32. Now let's enforce the SESSION cookie. 33. Click the Traffic Learning tab at the top of the screen to reveal the Enforcement Readiness ‘Summary section on the right side of the screen. Toe suggestion Ges, select one rom he st on helt Enforcement Readiness Summary ‘File Tes ‘Cm OO 2 Yerre unts camesst 2 ° VWenseckerunls Gye o YParametore Compact 1 ° Ycooties Setea //4 ~ Yi a 34, In the Enforcement Readiness Summary section, locate the Cookies row. 35. Click the digit in the Not Enforeed And Have Suggestions column. 36. Select the checkbox to the left of the SESSION cookie, and then click Enforce. 37. Click OK when prompted and then click Apply Policy. 38. In Fiddler, go to Rules, Automatic Breakpoints, and then select Before Requests (F11). 39, Repeat the process for cookie tampering. 40. What is the result? A cookie tampering request should get blocked. 41. In Fiddicr, go to Rules, Automatic Breakpoints, and then select Disabled. i i | 42. Go to the Traffic Learning screen and delete all learning suggestions. 43. Go to Security » Event Logs : Appl prepare for the next lab. 44, Clear your browser cache to ensure a clean start for the next lab. ition : Requests and then clear all requests in order to Expected Results ‘After completing this lab, any tampering with the SESSION cookie should result in a blocked request. ‘The SESSION cookic is enforced as shown in the Cookies List. Continue with Lab 9.2: Securing HTTP Headers HEHBEESE SB a & | | a | | aLab 9.2 — Securing HTTP Headers Lab Objectives Modify properties for a specific HTTP header * Adjust learn and alarm settings for this type of violation * Send an attack signature in an HTTP header to trigger a violation Estimated time for completion: 20 minutes Lab Requirements ‘© Completion of Lab 9.1 Examine HTTP Request Header Properties 1. In ASM, go to Application Security : Headers : HTTP Headers. Ensure that the Current edited policy i: Click the referer header. Note that the Cheek Attack Signatures, Url Normalization, and Evasion Techniques Violations options are sclected. This means that attack signatures will be applied to the referer header, and actions will be taken to remove multiple slashes, backslash replacement, and other ‘attempts at obfuscating characters in the header. 5. Click Canee! to return to the HTTP Headers list. 1_9_cookie, aes Copy an Attack Signature 6. Navigate to hitp:/idoes.{5tmn.com/student/asm/v13.1/ and open the file named copy_paste.txt, 7. Select the Shelishock string below Lab 9.2 (Cirl+A), and copy it to your clipboard (Ctri+C).. Tamper With the Referer Header 8. Go to the auction site’s home page (/index.php). This will establish index.php as the referrer in the next scries of steps. 9. In Fiddler, go (o Rules, Automatic Breakpoints, and then select Before Requests (F11). 10. Go back to the /index.php page, and then click Register now, Help, or some other link. 11. Go back to Fiddler, and select the most recent session created by your latest activity, 12. In the right pane of Fiddler, select the Inspectors tab, and then right-click the Referer header. 13, Select Edit Header and then modify the value by pasting (or entering) this string: 0 (42% /bin/bash -c "1s" 14, Click Save.15. Click Run to Completion. 16. Exit Fiddler. 17. Go back to the Traffic Learning screen, 18. Click on one of the attack signature suggestions. 19. Which Matched Attack Signature matched the tampering string? 20. Why didn't this request get blocked? a. What would you have to do to block the next request that triggers this signature? 21. Go to Security » Event Logs : Application : Requests and then clear all requests in order to prepare for the next lab, Expected Results After lab completion, inserting an attack signature character string into the Referer header should result in an attack signature violation after the request is senta2 a2 Chapter 9 - Cookies and Other Headers Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 40-4 Chapter 10: Reporting and Logging Chapter Objectives After completing this chapter, you will be able to: Select different levels of detail and criteria using reporting tools View status, BIG-IP RAM & CPU usage, throughput, and recent attack DoS statistics View log files Enable response logging Create a logging profile Overview: Big Picture Data ASM provides two areas for reports; Overview and Reporting. They arc closely related and interlinked, Overview is designed to give a higher level and overall view of the system activity. @ Security QO Security | Overview Overview Application Security Application Security Protocol Security Protocol Security Dos Protection Dos Protection Event Logs Event Logs Reporting | Reporting Security Updates. Security Updates Options Options Figure 1: Example Overview and Reporting menu options on the main navigation pane. Overview Summary At the highest level of detail, Security # Overview : Summary, you have the option to create a customizable graphical report, or widget, for viewing statistical information for a certain time, including by hour, day, week, month, or year. Ata glance, you can determine which security policies are assigned to virtual servers, view attacks that have occurred, view anomaly statistics, and view networking and traffic statistics Configuring BIG-IP ASM v13 40-110-2 Chapter 10 - Reporting and Logging Reporting: Build Your Own View ASM can display numerous graphical charts that illustrate the distribution of security alerts. You ean filter the data by security policy and time, and you can view illegal requests based on different criteria such as security policy, attack type, violation rating, URL, IP address, country, severity, response code, request type, protocol, user name, and more. ASM provides several predefined filters that produce charts focused (on areas of interest including the top alerted applications, top violations, top attacks, and top attacking IP addresses. You can also create a customized advanced filter. By creating your own widget, you can pare down the data to a specific type, as shown in the Widget Properties sercen below. e|Apotcaion Secu, + View by [Securty Poti | ovkcanos te range Vaal Servers Shon dewts Request pes ‘Select measurement MSC TPE? | avatatle measurements a ‘anon Png 3 | Chet Adsesses Jfvesentas « Denee 1s svt aang | Sc | Mien Raing 2 (Serer Bae ofSteen ‘as weuaeasn| | esoenee Cates Protocols ‘Vases Usemames Sessions | laion Rags {sable Devices Figure 2: A customizable widget can be created to view data from various categories in line chart, pie chart, bar chart, and table format. You can use these charts as executive reports that summarize your overall system security. The data in the report can be saved locally, or converted to PDF and sent as an email attachment. ew: Experi ne verve sce aoc 3 PCE Hh ha of he pes onthe ge Seams sea © save ne pate on you career : > Sete apart eva Eta an ataenrer Figure 3: Reporting information can be exported out of ASM. 10-2 Configuring BIG-IP ASM vi3Chapter 10 - Reporting and Logging 10-3 Overview of Application Traffic Graphical reports can be configured to provide an overview of the following application security events: ‘* Top URLS by Requests © Top Anomaly Types by Total Attacks ‘© Top Request Types by Requests Top Security Policies by Average TPS © Top Sccurity Policies by Requests, Top Virtual Servers by Average TPS * Top Request Types by Events Reporting: Chart Based on Filters 1g option is availabl the Security section. FOr) Wen Charts: ‘Security Updates Protocol + | Charts Scheduler Options Dos » | Brute Force Attacks Web Scraping Statistics Figure 4: Reporting and Application options provide data for evaluating traffic to the web application. Charts display information about the requests that triggered security policy violations. Charts can be filtered (viewed by) using the following criteria: Applications ‘+ Response codes © Virtual servers + Methods © Security Policies * Protocols © Attack Types © Viruses * Violations * Usemames © URLs © Session [Ds © Clicnt IP Addresses © Client countries * IP Address Intelligence © Sever * Violation Rating ASM provides several predefined filters that produce charts focused on the top alerted sceurity policies, top violations, top attacks, and top attackers. You can use these charts as exccutive reports that summarize the overall system security. Configuring BIG-IP ASM v13 —~\10310-4 Chapter 10 - Reporting and Logging 7 : Bem rare era a saa Tn came eto [Rage] | Ct ai) Figure 5: In this example, the administrator is filtering on how many requests have been handled per security policy. Administrators can monitor chart data to determine how well their security policies are protecting their ‘web applications. By viewing specific charts, administrators can check for falsc positives and adjust their security policy accordingly. For example, using charts, if you see that the same type of attack is coming from several different IP addresses, this may indicate a faise positive and you may need to adjust the security policy. By viewing graphical chart reports periodically, you can evaluate system vulnerabilities. As you become more familiar with the chart details, you can use this information to further secure your web application traffic, Charts Scheduler ‘The Charts Scheduler feature allows you to send predefined charts to specific email addresses every 24 hours, 12 hours, 6 hours, monthly, or weekly. The predefined charts include the following data: © Top alarmed URLs ‘+ Top attackers for alarmed requests, ‘© Top alarmed and blocked policies ‘+ Top attackers for blocked requests Top alarmed policies © Top attacks in last day © Top attacks in last hour © Top blocked URLs © Top attacks in last week ‘¢ Top blocked policies ‘= Top policies with GET method Q Response Code 200 ‘+ Top policies with POST methods . Response Code 404 ‘+ Top sessions «Top violations with critical severity ‘= Top usernames Top viruses detected '* Top violations in last day, hour, week ¢ User Defined ‘* User Defined From Requests 10-4 Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 10-5 You will need to configure SMTP before you can send email notifications. Brute Force Attack and Web Scraping Statistics ‘A separate tab is available to display charts about brute-force attacks, viewable by virtual server, application services (iApp), or security policy, and attack start and end times. Web Scraping st also have a dedicated tab and are filtcrable by virtual server, application services (App), or security policy, and attack start and end tim ete cma 2 Wy: Sear; Pes ¥ Th Pt a es Ameen fop = Tawa —¥Omte: eae # ] ‘ott ata pr Seay Paley os } Figure 6: in this example, the administrator is filtering on how many web scraping attacks have occurred by secunty policy in the month, Viewing ASM Resource Reports ‘There are several factors that can affect ASM resource consumption: Incoming requests per second during peak traffic times Percent of traffic that has a payload (POST requests) Percent of JSON and XML payloads Traffic distribution: (Is it mostly small form submissions? Large file uploads?) Response checking (Data Guard, applying attack signatures to responses) Enabling response fogging in the logging profile © Session Awareness (tracking) Configuring BIG-IP ASM v13 10-510-6 Chapter 10 - Reporting and Logging © Web scraping protection and brute force protection. (Memory is consumed for tracking sessions, clicnts, and users so it is proportional to the number of concurrent clients in the application.) ‘© Number and size of policies © Whether Iearning is manual or automatic, ‘CPU Utilization ‘The report shows the average ASM dacmon (BD) and TMM CPU usage for cach CPU on a multi-bladed chassis or standalone system. By moving your cursor over spikes in the graph, you can reveal CPU percentages for each point. Figure 7: You can view CPU usage over time to locate anomalies in ASM processing. Memory Utilization Memory utilization displays the aggregated system memory usage of ASM resources as a percentage over time. It shows the average BD and TMM memory usage, and swap size, on a multi-bladed chassis o standalone system. Most memory is for request and response buffering, but ASM also consumes memory for storing policies, maintaining a cache of common entity instances, and other purposes, such as handling learning suggestions. Bypass Information There are two cases in which HTTP might bypass ASM sccurity processing. One is if ASM is not ‘enabled, or if the daemon is in some state related to restarting. The other is if ASM can no longer handle incoming requests/transactions. Either way, traffic bypasses ASM to avoid causing downtime. The resource graph will display data related to backlog messages, HTTP requests, and transactions bypassed, 10-6 Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 10-7 PGI-Compliance: PCI-DSS 3.0 PCI compliance reports allow you (o provide auditors proof that your device and configuration are in compliance. From the ASM perspective, the PCI compliance reports show two things. 1. How ASM protects the web application. 2. How ASM itself is PCL compliant. ‘You can create printable versions of PC! compliance reports for cach web application to assure auditors that ASM and your web applications are secure. These reports can be provided to auditors in PDF format. For cach PCI compliance report, an Executive Summary table is created. This table describes cach ‘sceurity measure required to comply with PCI-DSS 3.0, and indicates which measures are relevant or not, to ASM. For security measures that are relevant to ASM, the report will indicate whether ASM complies with PCI standards. ‘The list and description for all security measures are as follows: 1. Install and maintain a firewall configuration to protect cardholder data ~ Not relevant to ASM 2. Do not use vendor-supplied defaults for system passwords and other security parameters — Lists all existing users (CLI and GUN), indicating whether they have default or non-default passwords Protect stored cardholder data — This is based on Data Guard functionality |. Encrypt transmission of cardholder data across open, public networks — Ensure all Virtual Servers have an SSL profile assigned 5. Use and regularly update anti-virus software — Not relevant to ASM 6. Develop and maintain secure systems and applications — Ensures at least one attack signature for a known vulnerability is active in the security policy 7. Restrict access to cardholder data by business need-to-know — Not relevant to ASM 8. Assign a unique ID to each person with computer access ~ List existing users in ASM and their user roles 9. Restrict physical access to cardholder data - Not relevant to ASM ). Track and monitor all access to network resources and cardholder data — Not relevant to ASM - Regularly test security systems and processes — Not relevant to ASM 12, Mai in a policy that addresses information security — Not relevant to ASM Conriguring BIG-IP ASM v13 10-7cml Lab 10.1 - PCI Compliance Reporting Lab Objectives Access PCI Compliance reports sereen Review PCI Compliance requirements ‘+ Review PCI Compliance executive summary page Estimated time for completion: § minutes ements Lab Req © Completion of Lab 2.1 * Any previously created security policy Access PCI Compliance Report 1. Navigate to Security »» Reporting : Application : PCI Compliance. From the Security Policy drop down menu, select any of the security policies you have created. View the Executive Summary section. Each item in the Requirement column addresses data security standards as defined by the Payment Card Industry Sccurity Standards Council a a. Some items are hypertext links to the description of how ASM meets the requirement. eS b. Notice there are some requirements in a successful (passed) compliance state and others that are not in compliance. O Click on the Printable Version button on the upper right of the Configuration 6, Open and browse through the PCI Compliance report. Expected Results Your PCI Compliance report probably indicates that the selected security policy, as it currently stands, is only providing only partial PCI compliance, as indicated by the combination of checkmarks and X's in the Compliance State column. In a production environment, the underlying detail in this report can help direct the evolution of a web application firewall policy to the point where PCI compliance is achieved.Chapter 10 - Reporting and Logging 10-9 The -Attack-Expert System For an immediate insight into individual incidents, ASM offers a detailed description about individual attacks, as well as enhanced visibility into mitigation techniques used to detect and ultimately prevent the attack. This Attack Expert System can aid network teams, who are often responsible for managing web application firewalls and similar devices, bgsume more familiar with securing their application Within the Attack Expert System, every detected violation includes the risk associated with the violation, and an example of the attack. In administrators and developers employ a solution based on implementation difficult and risk. © Qe Ibatew Newest + | Re (evar scar 3 loro Joe 19.41 2017-0 Delete Request Export Reques! Accepl Request ie ‘Signature Name | ses | © XSS script tag end (Parameter) (2) ‘Signature Type | Requesi | Signature Scope | Parameter, XML, JSON, GWT, Plain Text cet | ‘systems to: ‘System independent con Attack Type i ‘Cross Se Scriping 3S) Figure 8: Each violation is a clickable fink to much more detailed information. For example, the table below provi above example. Signature | XSS script tag (Parameter) namo Signature 10 | 200001475 [Documentation ‘Summary | This event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general altack detection signature (i. itis not specific to any web application) Impact ‘Successful exploitation will result in information gathering and system integrity ‘compromise. Possible unauthorized administrative access to the server of application can result. Possible execution of arbitrary code of the attacker's choosing can result. s information on the cross-site seripting attack displayed in the Configuring BIG-IP ASM v13 10-910-10 Chapter 10 - Reporting and Logging Detailed | This event indicates that an attempt has been made to exploit a Cross Site Scripting Information | vulnerability in an application running on a webserver. Cross Site Scripting (XSS) occurs when a web application doesn't sanitize user- supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site. Affected | All systems that accept user input are potentially affected. Systems Attack ‘An attacker can supply @ malicious link designed to steal information from @ user Scenarios _| clicking on that link Ease of Vary from simple to medium Attack False ‘Some applications send various script code to the web server as legitimate i Positives | Some free-text user input may match Cross Site Scripting signatures. Corrective | Ensure the system is using an up to date version of and has had all Action [ed patches applied. Ullize Posilive Security Model by accepting only known types of input in web application. ‘Additional | The Cross Site Scripting (XSS) FAQ: www.cgisecurity.com/articles/xss-faq. shtml References Viewing Traffic Learning Graphs ‘The Traffic Learning screen displays graphical data about pending, ignored, and accepted learning suggestions, the enforcement status of entities, and changes that have been made either by the ‘administrator or automatic policy builder. By moving your cursor over each section of the graph, you can reveal statics about each suggestion. The graph displays four types of suggestions triggered by traffic logged by ASM (in both Manual and Automatic mode) including Pending suggestions with a learning score of less than $0, greater than 50, ignored, and accepted, Entity information includes whether changes ‘were made by an administrator, or by ASM, and raw totals of both enforced/not enforced entities. Suggestions ‘tins (@ Panarg sesso) 30 helenae 1 Panag eas s60) 0 fe Fated eignne . © ceies 2 « Figure 9: Traffic Leaming graphs provide broad data at a glance. 10-10 Configuring BIG-IP ASM v13Chapter 10 — Reporting and Logging 10-11 Local-Logging Facilities and Destinations Defining Key Application Security Manager Log Files There are two separate logging mechanisms available systog-nigund ASM logging profiles. ASM logs all system and administrative events to syslog and locally in /vat/log/asm. lied configuration and database events, violations, ASM daemon (BD) restarts Ivarflog/asm ~ syslog-n and crashes. Its/log/bd.log — internal bd log, especially useful for troubleshooting memory issues and with Debug option Ns/log/policy_builder/pb-* - Policy Builder logs showing when and how many processes were running, Archives: /var/log/asm.1.gz through /var/log/asm.8,ez Contents: Contains all local3.* events. i uu By default, BIG-IP ASM systems log both SSATP ggforraion sod appheeterntamaten ns set of files containing current day data, and data from the previous cight days. ‘The files are rotated daily ‘and are compressed in a standard gzip format. The extensions indicate the relative age of the files. The previous day’s files have a I gz” extension; the day before a “2.2”, the oldest file ends with “8.e2”. ASM Log Message Formats: Administrative Events Here are three examples of administrative events (events related to policy changes applied by an administrator, for example, as opposed to attack information): root@bigipt:Active:Standaione) config *{gail =#-7vat/Toq/asm)) Son 12 11237231 bigip! infe perl {4058}: 0131005376; ASMconfig change: Policy Attributes (update]? Enforcenent Node was set to Transparent. { audit: policy = /Common/lab_17, username = admin, client IP = 192.168.1.1 Jun 12 11:45:16 bigipl info per1[4058]: 01310053:6: ASMConfig change: Policy Attributes Policy Attack Signature Attributes [update]: Signature Staging was set to disabled. { audit: policy = /Common/labS rapid deployment, username ~ admin, client IP = 192.168.1.1 } Jun 12 11:45:28 bigipl notice g_server_rpc_handler.pi [13588]: 01310019:5: (USER ACTIVITY] User admin performed apply Policy operation on policy: /Common/labS rapid_deployment. 2008. ‘Security Event Message Processing ASM docs nat log security events, (such as Illegal File Type) to.syslog, of locally in /var/log/asm. Instead, use of remote logging server is strongly recommended. ASM security events are formatted into sections for casy interpretatior ‘+ Rejection Description: Empty unless the request is blocked by the policy © Request Violation(s): A comma separated list of the violation(s) that occurred during, enforcement of the request/response Configuring BIG-IP ASM v13 10-1110-12 Chapter 10 - Reporting and Logging ‘¢ Support ID: A comma separated list of the violation(s) that occurred during enforcement of the request/response © Source IP: The source IP where the request originated © XFF IP: The X-Forwarded-For (XFF) IP address. This is the IP address located in the XFF header. ‘+ Souree Port: The source port from which the request originated © Destination IP: The destination IP of the request ‘© Destination Port: The destination port of the request © Route Domain: Route Domain where request originated © HTTP Classifier: Specifies the name of the HTTP Class or Security Policy Scheme: Specifies whether the request was made using HTTP or HTTPS © Geographic Location: The two letter country code of origin based on source IP * Request: The actual request made including headers up to 128 bytes ‘* Username: Username associated with the request + Session ID: Session ID assigned to the request to allow the system administrator to track requests by session + Violation Rating: Rating between | and 5 Here is an example of a security event: Jan 28 20:33:49 npi crit perl{22616}: 01310032:2: [SECEV] Request blocked, violations: Illegal method, Attack signature detected. Support id: 1461000780059246864, source ip: 172.18.47.195, source port: 62481, destination ip: 172.29.46.36, destination port: 80, HTTP classifier: /Conmon/sigs_rdp_block, scheme HTTP, , violation rate: 2 How to Enable Local Logging of Security Events For troubleshooting purposes, there is an option to change an internal parameter called send_content_events which enables sccurity events in /varlog/asm. The parameter is visible in the Configuration utility as illustrated below. The recommendation is to enable the parameter for troubleshooting or debugging, but to disable it in a production environment. sed comers [pt ti ti Figure 10: The internal parameter send_content_events is disabled (set to 0) by defautt 10-12 Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 10-13 Viewing Logs in the Configuration Utility The Configuration utility displays a variety of system statistics as well as access to selected log files. On ASM systems, the System Log, Audit Log, Packet Filter Log, Local Traffic Log, Policy Builder User Log, and Application Security Log are available. ‘The Application Security log shown below is of interest to ASM administrators. |) wha te — [iil oan eee Tannen oe j Mon Nov207 6 \SPST7015 noice gpl. senerpe hatte 70547) 01210019 USER. ACTMTY) User adrun period Ary Paley persion on polcy feet Cooke 708 Money 20707 PT 205 vice RIO Gere Fe nae HDA} OS10018 USER, ACTA] User rn cage ven or bey Comment aba Ceo 2070 Moo tiov2 672867 PST2016 wlo tgp pe 7052) 01910059 ASMUCeati change Header efor pat] Evasion “Tecra: Veto was Seto mabe {ey = ‘renal Coa, userare oan. ch” ‘et 1030) Moptoy2072609PS72015 eto pt ps7052) 01310053 ASMContg change Made referer pet) sob ‘Oteoarg was sola asad Ut Noeralzaon was Se saved {sue pley=Cararan.s eo, ‘Semam = son, chert = 102161030) Non ov2072617 PST2016 fo ppl per 7052 ‘1910059 ASWCorgerange Aen Pete Carmen? Cooke (ipsa {uae pic Ronen come, ‘Bemone -aar, cent = 192188 1050) Figure 11: This screen displays administrative information logged by ASM. Viewing Log Files via Command Line | To view the log files from the command line, use a plain text viewer such as Cat or more in conjunction with other tools. Use: the cat command to display the entire contents of a file the grep command to filter for specific entries, the more command to display one page at a time the tail command to look at the end of a file Each of these utilities has an array of options available for different views of the files. For example, to display the end of any current administrative system tasks: tail -£ /var/log/asm Viewing Archived Log Files via Command You can view archived (zipped) log files from the command line via the zcat utility. The output can be piped through grep or more if desired. For example, the previous day’s message file may be viewed one page at a time by entering command: 2cat messages. asm.X.gz | more Configuring BIG-IP ASM v13 10-1340-14 Chapter 10 - Reporting and Logging Exporting Requests As of version 13.0.0 requests are exported in HTML format only. The resultant HTML file can be converted to a PDF by: ‘Printing the HTML page to PDF from the browser window. Scripting the HTML to PDF conversion using CLI found here: https://wvkhtmltopdf-org/ ole Josey Newest + | Me | MTP} Ardoxnp Some Delete Regus 9-290 2013.01.08 Na La (ar 1} roger pnp ETE 1 10 10.1030 20 | [Geolocaion = pe Semeote source ® hecress | ¥ © 1010 102080108 Figure 12: Requests can be exported for later review. ee ogging Profiles: Build What You Need, itering traffic with a profile Logging profiles provide you with a tool for filtering traffic through a virtual server. When you configure 1 virtual server, you can select a logging profile for that virtual server, which specifies rules and locations for storing request and response data. Event logs are one facility that can be used to monitor traffic in ASM. By enabling Application Security on a logging profile, you have granular control over which items (uch as types of requests, response status codes, specific strings, and HTTP methods) arc logged. ‘You can use one of the sysiem-supplied-togging profiles, or you can create a custom logging profile. Additionally, you can choose to log the requests lacally, or fo a remote server, oF in a storage format required to integrate a reporting server. Local and remote logging profiles can be configured on the same virtual server. Logging Profiles must be assigned to a virtual server. 10-14 Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 10-15 Configuration ‘The Logging Profile properties page has two components: Configuration and Storage Filter. Configuration specifies where the log events are stored. The storage filter determines what information gels stored. Logging Profle Properties [ Profle Name [custom Log | Description — | Appication Securtly © Enabled | presen seciy Enebiea | Network Firewat | Denabies | Dos Protection Cenabied | Bot Defense |W Enabied -Aoplcation Secu | | configuration Advanced 4 dd Storage Destination (Local Sierage¥ Gueraniee Local Logging Enabled ispecies tree oe = Figure 13: From the Configuration menu, select Advanced to view all settings Local-storage logging profiles store requests data in the ASM system. When yau store the requests dasa locally, there may be times when the logging utility competes for system resources. You ean use the Guarantee Logging setting to ensure that ASM logs the sequests in-this situation. Guarantec Logging allows you to save traffic for longer periods of time externally, then reload the data and analyze events which occurred in the past. traffic volume web application. Regardless of whether Guarantee Logging is enabled or disabled, ASM will not drop requests if system resources are an Guarantee Logging may cause a performance reduction if you have a high issue. For local storage, the existing mechanism will be used. ASM will fill the local database, learn from this database-about-vielations, and the ASM GUI will present the proxy log through the existing Event Logs: Application: Requests page. Configuring 8IG-IP ASM v13 10-1510-16 Chapter 10 - Reporting and Logging Configuring Response Logging This allows you to view either illegal requests only, or all responses for a request. When you enable this You toview,cithes feature, responses are displayed on the HTTP Response tab. |Home owen & Re Begs Resuess Mage Requests x fgurriesae : 1 pein Asp Rea! Saat a Decoterewiet oro omast ———_Rewpone esonee cl se: 47h. |) Reconce seta HTTP/1.1 200 0% | bate: Fei, 17 Mar 2017 33:12:48 GT Server: Apache/2.3.26 (Unix) PHP/4.2.2 wod_ssl/2.8.10 PaP/a2.2 Expires: Thu, 19 Hov 1962 08:52:00 GIT Cache-Control: no-store, no-cache, must-revalidate, po ‘strchecks0, pre-check= Pragna: no-cache Figure 14: In this example, ail responses to requests are being logged. Each response is displayed on the HTTP Response tab. Data Guard or response signatures, itis also useful in analyzing request violations, to determine whether they represent an actual attack or a false positive (when ASM is configured in transparent mode). ‘There are two options for request types: ‘© Mlegal Requests Only: Only responses to illegal request will be logged © All Requests: All responses to requests will be logged Remote Storage You can configure ASM to store requests data for the associated web application on a remote server. Logging Format Comma Separated Values: Stores all traffic on a remote logging server using comma separated values in the logs. Key-Value Pairs: Stores all traffic on a reporting server using a preconfigured storage format where key- value pairs are used in the log messages. ‘Common Event Format (ArcSight): Stores all traffic on a remote logging server using the predefined ArcSight settings for the logs. The log messages are in Common Event Format (CEF).. 10-16 Configuring BIG-IP ASM v13Chapter 10 - Reporting and Logging 10-17 The following items are configurable: Facility category (from LOG_LOCALD to LOG_LOCAL7) of the logged traffic. Storage Format (which traffic items are logged, and the order in which the server logs them.) ‘A few examples of logged items are signature IDs, response codes, attack types, and geolocation, Maximum Query String Size: Establishes limits on byte lengths. Maximum Entry Length: The default length is 1K for remote servers that support the UDP protocol and 2K for remote servers that support the TCP and TCP-RFC3195 protocols. You can ‘change the default maximum entry length for remote servers that support the TCP protocol. Storage Filter ASM categorizes three types of requests: All Requests, 2. Megal Requests 3. Illegal requests, and requests that include staged attack signatures Most administrators do not log all requests due to the high volume of data that would result. By logging, only illegal requests, you can reduce the amount of data that is collected, Transactions can also be logged if they involve attack signatures which are still in staging, (In versions of ASM prior to 11.5. if you choose to log illegal requests, any attack signatures which are in staging are not included in the logs, because such requests are considered legal.) Configuring BIG-IP ASM v13. 10-17a Lab 10.2 - Local and Remote Logging BB Lab Objectives © Sct up a BIG-IP ASM system to send log messages locally and to remote syslog servers, © Modify the default send_content_events sctting to log ASM security events locally Estimated time for completion: 25 minutes Lab Requirements Completion of Lab 5.1 ‘© Sccurity policy is in Transparent mode and attack signatures arc in staging ‘© Tepdump to view message transmissions Configure the logging profile 1. Configure a new logging profile named Iab_10_logging_profile that will log all requests to a remote logging facility. Configuration utility ig Remote and Local Storage Log: See ne Ee er ieee ee) ig Profiles Oo a a |_| BEE Logging Profile Properties section Profile Name lab_10_logging_profile ‘Application Secunty Enabled Configuration section: Advanced Storage Destination Remote Storage Protocol ~_ | upP Server Addresses IP Address: 10.10.X.30 then click Add Facility “| LOG_LOCAL3 ak policy name | | violations ‘Storage Filter section Request Type All requ When complete, cick... | Finished| a HEEHEEE BS | i Oram eee Pet] Assign the logging profile to the virtual server 2. Goto Local Traffic » Virtual Servers : Virtual Server List # astn_vs. 3. From the Security tab, click Policies. 4, Within the Policy Settings section, configure the following: Cone eang Policy Settings Application Security | Enabled, and then choose the lab_5_rapid_deployment policy. Policy Log Profile Enabled Profile ‘Move your lab_10_logging_profile profile from Available to Selected. ] ebie..¥ ‘Selected ‘tate (feammen = (Reamimon og Pots {Log a requests <<) |) egtega route 36-0 Jepgng prone jobsl-netvork | : Updte Sa 5 = || | When complete Update click a 8 1 d | a a a Use Tcpdump to View Notifications 5. Open an SSH session to your BIG-IP. 6. The command below assumes messages are being sent on all VLANs. Since these messages use UDP, which is not connection-based, data will be transmitted on the wire in clear text. 7. Issue the following command: tcpdump ni 0.0 Xs 0 udp and port 514 View /var/log/asm for local logging notifications 8. Open another SSH session to your BIG-IP. 9, Issue the following tail command to view the log file in /varflog/asm as it grows. tail -£ /var/log/asm Mae pstcsLog administrative activity Now let’s generate different kinds of ASM activity and simultancously view the log. 10. Position both SSH windows so you can see them easily. 11. Go to Learning and Blocking Settings and ensure that the lab_5_rapid_deployment policy is selected. [| 12, Change the Enforcement Mode of the policy to Blocking. (If the policy is already in blocking mode, change it to transparent. We are simply tracking any administrative change.) 13, Click Save. a. You should see the action in /var/log/asm. Apply Policy. a, You should see the action 14, Cl Ivarllog/asm. 15. In the Learning and Blocking Settings section, expand the Attack Signatures scction. 16. Uncheck the checkbox for Enable Signature Staging, (This will make it casier to see the impact of a triggered attack signature.) 17, Click Save and then click Apply Policy. 18. In the log, you should see indication that Signature Staging was set to disabled. 19. Now Iet’s generate a security event and determine if itis also logged. 20. Access the auction site. 21. Generate a request that will trigger an illegal request violation (such as by using the