BEREBHEHBSBHABSB EB BEEBE E G& BBG 0) Verdes Sieba pobatkireg= | St a _—- laced F5 Networks Training Configuring BIG-IP ASM v13 Application Security Manager Student Guide ® v13.1.0.1 - February 2018 Configuring BIG-IP ASM v13Configuring BIG-IP ASM v13 Student Guide Eighteenth printing; February 2018 Support and Contact Informa‘ Obtaining Technical Support Contacting F5 Networks ‘Web support.f5.com www.f5.com Phone (206) 272-6888 sales@f5.com Support Issues support@f5.com Info info@fS.com Suggestions _feedback@f5.com FS Networks, Ine. FS Networks, Ltd. FS Networks, Ine. FS Networks, Ine. Corporate Oftice United Kingdom ‘Asia Pacific Japan 401 Elliott Avenue West Chertsey Gate West '5 Temasek Boulevard ‘Akasaka Garden City 19F Seatle, Washington 98119 Chertsey Surrey KTL68AP #08-01/02 Suntec Tower 5 4-151 Akasaka, Minato-ku T (888) 88BIG-P United Kingdom ‘Singapore, 038985 Tokyo 107-0032 Japan (206) 272-5555 T (44) 0 1932 582-000 (65) 6533-6103, T(S1)3 5114-3200 F (206) 272-5557 F (44) 0 1932 582-001 F (65) 6533-6106 F (81) 35114-3201 Training@B.com EMEATraining@S.com — APACTraining@fS.com ——_JapanTraininga5.com Legal Notices Copyright © 2018, F5 Networks, Inc. All rights reserved. F5 Networks; te. (5) believes the information i fumishes tobe accurate and reliable. However 5 assumes no responsibilty fo he use ofthis infortion: [AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing. AEM, APM, Application ‘Acceleration Manager, Application Sceuty Manager, ASKS, ASM, BIGIP, BIG-IP EDGE GATEWAY, BIG-10, Cloud Extcader, Clow! Manager, CloulFucious, Cluscred Multiprocessing, CMP, COHESION, Data Manager, DDoS Fronllne, DDoS SWAT, Defense ‘defenses {DESIGN}, DevCeniral, DevCentral [DESIGN], DNS Express, DSC, DSI, ge Client, Edge Gateway, Edge Ponal, ELEVATE, EM, ENGAGE, Encrprise Manager, 5. F5 [DESIGN], FS Ailiy,F3 Certified [DESIGNI, F5 Networks, FS SelesXchange [DESIGN], F5 Synisi, 1 Synthesis, F5 Synhesis [DESIGN F5 TechXchange [DESIGN], Fast Application Proxy Fast Cache, PCINCO, Ghal Traffic Manager GTM, GUARDIAN, iApps, IBR, iCall, Control, Heat, teligent Browser Referencing, intligent Compression, IPv6 Gateway. iOsery ils, Rules OnDeman, Session, L7 Rate Shaping, LC, Link Console, LineRute,LicRate Poa, LincRate Precision, Lincate Systems DESIGN, Local Traffic Manager, LROS, LTM, Message Sceurity Manager, MableSae, MSM, OneComneet, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Security Manager, SM, Ready Defense, Rel Traffic Policy Builder, SalesXeange, SealeN, SDAS (except in Japan), SOC, Signalling Delivery Conelle, Solutions fran application word, Sofware Designed Applications Services, Sivetine, SL. ‘Acceleration, SSL Everywicre, SongBor, SuperVIP, SYN Check, SYNTHESIS, TCP Express, TDR, TeckNchange, TMOS, TetALL, TDR, “TMOS, Traffic Management Operating System, Traffi, Trafix (DESIGN), Transparent Data Reduction, UNITY, VAULT, YCMP, VE FS IDESIGN, Versafe, Vesafe[DESIGNI, VIPRION, Virual Cusicred Muliprocessog, WebSafe, and ZoneRuaner, are ademas ot srvice ‘marks of £5 Networks, In, i the U.S. and athe esunres, and may nol be used without ‘company names herein may be trademarks of their respective owners Materials and Patents ‘The material reproduced on this manual: acloding bt not limited to graphics text pictures; photographs; ayout and the ke ("Content"); are protected by United States Copyright law Absoluely no Content from this manual may be copied; reproduced; exchanged; published: old or ‘Sitibved without the prior writen corset of FS Networks; In. Th information inthis dgcurent has boon eartully verified and is believed to bbe aeurae, FS Netvorks assumes no esponsiblits (or any inacurnces at may apps in thie document. In no ovet will FS Networks be Tile for dice, indie, special, exemplary, incidental of consequential damages esuling fom any defector omission inthis document, even iF ‘advzod ofthe possibility oF such damages. “This product maybe protected by one or more patents indies al hp: comabouvpliiefptents Configuring BIG-IP ASM v13Table of Contents i Table of Contents Preface. Course Overview, Audience. ..eonn Course Objectives. Prerequisites ..o..menmen Additional Documentation and Resources . Chapter 1: Setting Up the BIG4P System. Intreducing the BIG-IP System Initially Seting Up the BIG-IP System. cooene Archiving the BIG-IP System Configuration ....... Leveraging F5 Suppor Resources and Tools. Lab 1.1 ~ Provision the BIG-IP System and Confirm Nework Configuratio Chapter 2: Traffic Processing with BIG-I .. Identifying BIG-IP Traffic Processing ObjCC ....uemennu Overview of Network Packet Flow Understanding Profiles ie Overview of Local Traffic Policies... Visualizing the HTTP Request Flo. Lab 2.1 — Pool and Virtual Server Configuration Chapter 3: Web Application Concepts...... ‘Overview of Web Application Request Processing. Web Application Firewall: Layer 7 Protection... ASM Layer 7 Security Checks. Overview of Web Communication Elements Overview of the HTTP Request Structa Examining HTTP Responses. HTP User Input Forms: Free Text Input. How ASM Parses File Types, URLs, and Parameters... Using the Fiddler HTTP Proxy oc csnesennnnnn Lab 3.1 ~ Fiddler and the Hack-it Auction Site ... Configuring BIG-IP ASM v13 iChapter 4: Common Web Application Vulnerabilities... Chapter 5: Security Policy Deployment........ Chapter 6: Policy Tuning and Violations... Table of Contents A Taxonomy of Attacks; The Threat Landscape. ‘What Elements of Application Delivery re Targeted? ‘Common Exploits Against Web Applications. Lab 4.1 Exploiting Web Application Vulneral ceilireeemennniSet Defining Leaming Comparing Positive and Negative Security Models. ‘The Deployment Workflow. Policy Type: How Will the Policy Be Applicd Policy Template: Determines the Level of Protection. Policy Templates: Automatic or Manual Policy Build Assigning Policy to Virtual Server Deployment Workflow: Using Advanced Settings seo 59 Selecting the Enforcement Mode The importance of the Application Language. Configure Server Technologics. Verify (Attack) Signature Staging .. Viewing Requests Lab 5.1 ~ Rapid Deployment Policy initial Setup. Security Checks Offered by Rapid Deployment. Defining Attack Signatures Using Data Guard to Check Responses Lab 5.2 — Preventing Information Leakage with Data Guard... Post-Deployment Traffic Processing Defining Violations Defining False Positives... How Violations are Categorized. Violation Rating: A Threat Scale.. Lab 6.1 Trigger and View a Violation... Defining Staging and Enforcement Defining Enforcement Mode. Defining the Enforcement Readiness Period. Reviewing the Definition of Leaming. Configuring BIG-IP ASM v13Table of Contents iil Defining Learning Suegestions ‘Choosing Automatic or Manual Leaming .. Defining the Learn, Alarm and Block Settings. Inverpreting the Enforcement Readiness Summary Configuring the Blocking Response Page oueussnannesonnn Lab 6.2 Accepting Requests and Viewing Learning Suggestions. Lab 6.3 ~ Handling Learning Suggest Lab 6.4 - Policy Enforcement Mode and Staging Chapter 7: Attack Signatures Defining Atack Signatures ‘Auack Signature Basics. Creating User-Defined Attack Signatures. Defining Simple and Advanced Edit Mode: Defining Attack Signature Sets Defining Attack Signature Pools. Understanding Attack Si Updating Attack Signatures... Lab 7.1 ~ Create an Attack Signature ytures and Stagi Chapter &: Positive Security Policy Building Defining and Learning Security Policy Components... Defining the Wildeaed Defining the Enlity Lifecye Chocsing the Leaming Scheme «eno How te Learn: Never (Wildcard Only). How to Learn: AlWay... How to Learn: Selective .... Lab 8.1 - Using Never, Selective, and Always Reviewing the Enforcement Readiness Period: Eniitis. Viewing Leaming Suggestions and Staging Status. Violations Without Learning Suggestions ....ns Lab 8.2 Learning and Enforcsment ...esnnsnsv Defining the Learning Score. Defining Trusted and Untrusted IP Addresses How to Learn: Compact . Lab 83 ~ Learning with Compact Mode ... Configuring BIG-IP ASM v13 iitiv Table of Contents Chapter 9: Cookies and Other Headers. 2 94 ASM Cookies: What to Enforce.. ee 94 Defining Allowed and Enforced Cookies... pi i 93 Configuring Security Processing on HTTP headers ....0.1n Lab 9.1 ~ Cookie Tampering Lab 92 ~ Sccuring HTTP Headers Chapter 10: Reporting and Logging . Viewing ASM Resource Reports PCI Compliance: PCI-DSS 3.0. Lab 10.1 PCI Compliance Reporting .. The Attack Expert System oon Viewing Traffic Leaning Graphs. LLvcal Logging Facilities and Destinations... : bet How to Enable Local Logging of Security Events ‘Viewing Lops in the Configuration Utility Exporting Request Logging Profiles: Buitd What You Need ‘Configuring Response Logging... Lab 10.2 — Local and Remote Logging ....u.csnnnnsesenn Lab 10.3 ~ Response Logging Chapter 11: Lab Project. Chapter 12: Advanced Parameter Handling, Defining Parameter Types. Defining Static Parameters e 123 Lab 12.1 ~ Protecting Static Parameters... eo 125 Defining Dynamic Parameters. Defining Dynamic Parameter Extraction Properties Lab 12.2 ~ Protecting Dynamic Parameters Defining Parameter Levels... Other Parameter Considerations... iv ‘Configuring BIG-IP ASM v13Table of Contents v Chapter 13: Policy Diff and Administration... Comparing Security Policies with Policy Diff. Merging Security Policies Editing and Exporting Security Potic Restoring with Policy History. Lab 13.1 — Using Policy Diff.and Policy Merge... Lab 13.2— Sccurity Policy Editing, Examples of ASM Deployment Types ConfigSyne and ASM Security Data.unon ASMQKVIEW: Send to FS Support for Troubleshootin sosene 1D onal FA B42 Chapter 14: Using Application-Ready Templates. Application Templates: Pre-Configured Baseline Security. Lab 14.1 ~ Using Application-Ready Templates Chapter 15: Automatic Policy Building Overview of Automatic Policy BuildiNg ome Defining Templates Which Automate Learning Defining Policy Loosening... Defining Policy Tightening, Defining Learning Speed: Traffic Sampling Defining Track Site Changes... Lab 15.1 Automatic Policy Building Chapter 16: Web Application Vulnerability Scanner Integratior Integrating Scanner Output Into ASM. Scan be Used fora New or Ex porting Vulnersbil 1g Policy’ Resolving Vulnerabil Using the Generie XML Scanner XSD file. Lab 16.1 — WhiteHet Sentinel Lab 16.2 — Quilys...ooronsnsnene Lab 16.3 — AppScan.... Lab 16.4 — Trustwave App Seanner (Cenzic) Lab 16.5 — HP Webinspect sone 16-8 Chapter 17: Layered Policies Defining a Parent Policy........... Configuring BIG-IP ASM vi3 vvi Table of Contents Defining Inheritance. sone TD Parent Policy Deployment Use Cases.. ‘Lab 17.1 Create and Deploy @ Layered Policy... Chapter 18: Login Enforcement, Brute Force Mitigation, and Se: Defining Login Pages ...eoe Configuring Automatic Detection of Login Pages .u.vecrnnusoni Lab 18.1 —Login URL Enforcement ‘What Are Brute Force Awacks’ Brute Force Protection Configuration .. Defining Source-Based Protect Lab 18.2 Brats Force Attack Mitigation Defining Session Tracking .. Configuring Actions Upon Violation Detection Session Hijacking Mitigation Using Device 1D Lab 18.3 — Logging All Requests with Session Awareness... Chapter 19: Web Scraping Mitigation and Geolocation Enforcement. Defining Web Seroping Mitigating Web Scraping Lab 19, Defining Geolocation Enforcement. Wob Scraping Mitigation... Configuring IP Address Exceptions . Lab 19.2 ~ Geolocation Enforcement... Lab 19.3 ~ Configure Exception for Disallowed Geolocation....eese- Chapter 20: Layer 7 DoS Mitigation and Advanced Bot Protection....1n:ernnensneesen 204 Defining Denial of Service Attacks. ‘The General Flow of DoS Protection... Defining the DoS Profil Overview of TPS-based DoS Protection. nnesnnen Applying: TPS mitigations ‘Create a DoS Logging Profile. Lab 20.1 - TPS-Based Denial of Service Mitigatio Defining DoS Profile General Sesting Defining Bot Signatures vi ‘Configuring BIG-IP ASM v13Table of Contents vii Defining Proactive Bot Defense... Defining Behavioral and Stress-Based Detection, Defining Behavioral DoS Mitigation... Lab 20.2 ~ Proactive Bot Detection and Defense Chapter 21: ASM and iRules .. Common Uses for iRules.. ing iRule Components. ‘Triggering iRules with Events... Defining ASM iRule Events, Defining ASM iRule Commands .....un.0 Using ASM iRule Event Modes... Lab 21.1 ~Cusiom Violations and ASM Lab 21.2 ~ iRule processing and ASM .. ene MD nee BA 21-5, Ident Chapter 22: Using Content Profiles... Defining Asynchronous JavaScript and XML... Defining JavaScript Object Notation (JSON)... Defining Content Profiles ‘The Order of Operations for URL Classification Chapter 23: Review and Final Labs Course Review Questions. Final Lab Project (Option 1) ~ Production Scenario Final Lab Project (Option 2) — JSON Parsing with the Default JSON Profile... Final Lab Project (Option 3) ~ Managing Traffic with Layer 7 Local Traffic Policies. Chapter 24: Additional Training and Certification Gotting Started Series Web-Based Training. FS Instructor Led Training Curriculum... F5 Professional Certification Program... Appendix A (Holpful Hints)... Appendix B (Rapid Deployment Methodology) -.....memnene Appendix C (Additional Topics)... Appendix D (Injection Table). Configuring BIG-IP ASM v13 vilvill Appendix E (2017 OWASP Top Ten and ASM Mitigations) ... Appendix F (Additional Resources).. viii Table of Contents ‘Configuring BIG-IP ASM v13Preface PA Preface Course Overview Description This course gives participants a functional understanding of how to deploy, tune, and operate BIG-IP Application Security Manager (ASM) to protect their web applications from HTTP-based attacks. The course includes lecture, hands-on labs, and discussion about different ASM components for detecting and mitigating threats from multiple attack vectors such web scraping, Layer 7 Denial of Service, brute force, bots, code injection, and zero day exploits. Topics covered in this course include: Provisioning ASM ‘Traffic processing with BIG-IP Local Traffic Manager (LTM) Web application concepts Web application vulnerabilities Sceurity policy deployment Security policy tuning Attack signatures Positive security building Securing cookies and other headers Reporting and logging Policy Diff, merging, and export Advanced parameter handling Using application templates Using Automatic Policy Builder Integrating with web vulneral Login enforcement Brute force mitigation Session tracking Web scraping detection and Geolocation Enforcement and IP Address Exceptions Using Parent and Child policies Layer 7 DoS protection ASM and iRules Using Content Profiles for AJAX and JSON applications NEW — Advanced Bot Detection and Defense NEW — Proactive Bot Defense NEW — Simple Edit Mode for Attack Signatures Configuring BIG-IP ASM v3 PaP2 Preface Audience ‘This course is intended for security and network administrators who will be responsible for the deployment, tuning, and day-to-day maintenance of the Application Security Manager. Course Objectives At the end of this course, the student will be able to: Describe the role of the BIG-IP system as a full proxy device in an application delivery network Provision the Application Security Manager Define a web application firewall Describe how ASM pratects « web application by securing file ypes, URLs, and parameters Deploy ASM using the Rapid Deployment template (and other templates) and define the security checks included in each Define learn, alarm, and block settings as they pertain to configuring ASM Define attack signatures and explain why attack signature staging is important Contrast positive and negative security policy implementation and explain benefits of cach Configure security processing at the parameter level of a web application Use an application template to protect a commercial web application Deploy ASM using the Automatic Policy Builder ‘Tune a policy manually or allow automatic policy building Integrate third party application vulnerability scanner output into a security policy Configure login enforcement and session tracking Configure protection against brute foree, web scraping, and Layer 7 denial of service attacks Implement iRules using specific ASM events and commands Use Content Profiles to protect JSON and AJAX-based apy Implement Bot Signatures Implement Proactive Bot Defense Prerequisites There are no F5-technology-specific prerequisites for this course. However, completing the following before attending would be very helpful for students with limited BIG-IP administration and configuration experience: © Administering BIG-IP instructor-led course © FS Certified BIG-IP Administrator The following free web-based training courses, although optional, will be very helpful for any student with limited BIG-IP administration and configuration experience. These courses are available at FS University (hitp:/iniversity.f5.com): © Getting Started with BIG-IP © Getting Started with BIG-IP Application Security Manager (ASM) ‘The following general network technology knowledge and experience are recommended before attending any F5 Global Training Services instructor-led course: p2 Configuring BIG-IP ASM v13Preface P38 OSI model encapsulation Routing and switching Ethemet and ARP ‘TCPAP concepts IP addressing and subnetting NAT and private IP addressing Default gateway Network firewalls LAN vs. WAN Configuring BIG-IP ASM v13 PSP4 Preface Additional Documentation and Resources Additional documentation and resources related to the F5 products and solutions described in this course ‘can be found online at www.F5.com and at ASKF5.com. Some relevant resource types and titles are shown in the table below, and throughout the course material: Additional documentation and resources related to the F5 products and solutions described in this course can be found online at www.FS.com and at AskFS.com. Some relevant resource types and titles are shown in the table below, and throughout the course mat Resource Typo Title. Manual BIG-IP Application Security Manager: Gelting Started Manual BIG-IP Application Security Manager: Implementations Manual ASM Operations Guide Release Noles _BIG-IP ASM 13.0 P4 Configuring BIG-IP ASM v13.Chapter 1 - Setting Up the BIG-IP System 11 Chapter 1: Setting Up the BIG-IP System Chapter Objectives ‘After completing this chapter, you will be able to: ‘© Describe the steps involved in preparing a new BIG-IP system for usc in application delivery © Confirm that a BIG-IP system is successfully licensed, provisioned, set up on the network, ready for high-availability, and ready to be configured for application delivery Introducing the BIG-IP System Lesson Objectives At the end of this lesson, you should be able to: Articulate the difference between a packet-based design and full-proxy architecture Identify the major clements that comprise the BIG-IP system Articulate the difference between application traffic and administrative traffic Identify the tools that are used to administer the BIG-IP system and describe how to access them Packet-based vs. Full Proxy Architecture ‘A network device with a packet-based (or packet-by-packet) design is located in the middle of ‘communication streams, but is not an endpoint for those communications. For example, routers change layer 2 information, but then just pass traffic along, as shown in Figure J. rns ee || carats = en — eo Qf = —_ oa <= — Figure 1; Packet-based design A full proxy is very different from a packet-by-packet design. Instead of having a minimal understanding of the communications streaming through the device, a full proxy completely understands the protocols, Configuring BIG-IP ASM v13.1 141-2 Chapter 1 - Setting Up the BIG-IP System and is itself an endpoint and an originator for the protocols. For example, BIG-IP can inspect and change packet information all the way up through layer 7. AA full proxy maintains two separate layer 4 connections — one on the client-side, one on the server-side, as shown in Figure 2, A full proxy device such as the BIG-IP effectively creates gap between the two connections, allowing the contents of traffic exchanged over the connections to be viewed and modified to address a wide range of security, performance, and availability issues that are unique to each “side” of the proxy. For example, clients often experience higher latency because of lower bandwidth connections, while servers are generally low latency because they're connected via a high-speed LAN. The optimization and acceleration techniques used on the client side are often very different from those used con the server side because the issues that give rise to performance and availability challenges are vastly key... hup://www.mysite.com/admin. php ?eategory=orders&orderid- ..an HTTP request will be generated with the request line... GET /admin.php?category-orderséorderid=2 ATTP/1.1 and include this header (along with others): Host: www.mysite.com HTML forms can also use the GET method to send data to the server. In our previous example, suppose the application sent a page to the user that included this form: Configuring BIG-IP ASM v13 393-10 Chapter 3 - Web Application Concepts

‘The HTML above might look like this in the user’s browser window: Order Nunber: a Ifthe user types “2 in the “Order Number” field, and clicks the “View order information” button, the resulting HTTP request will look virtually the same as when they typed the URL and parameters into the address bar: GET /admin.php?category-orderstorderid=2 HTTP/1.1 Host: www.mysite.com GET request considerations are appended to the URL following a question mark. Pairs are separated by an ampersand, ‘variables are plain text and are visible in the browser's address bar. For example: hetp: //auct ion. £5.com/ username ( When a

tag specifies the method “GET”, key-value pairs representing the input from the form PSmithepassword-ABCshidden_form=sneaky This is a key reason why GET requests should not be used for transactions with sensitive data, ay ~The following points must also be considered. © GET requests can be cached GET requests remain in the browser history © GET requests can be bookmarked ‘© GET requests have length restrictions* + GET requests should be used only to retrieve data. Query strings specify a requested resource type ‘The GET method often uses a query string, which is in the URI, to pass data to the application. Data in the query string flows from the client (ustally—but not limited to a web browser) to the application which returns a web page, or other HTTP response. ‘This URI for a search page includes a query, after the question mark, with name/value pairs for the parameters used in a web application. http: //auction. £5.com/seacch.php2g-parkertpen ‘The POST method is also used to send data to a web application. Unlike GET though, whose use should be restricted to retrieval only, POST can (and should) be used to send data that will be used by the web application to modify resources, such as a database. POST data is not specified on the request-URI. Instead, POST uses the request message body to send information to the web application. Let's convert the form we used on the previous GET example to use POST instead: 3-10 Configuring BIG-IP ASM v13Chapter 3 - Web Application Concepts 314

The HTML above will look the same in the user's browser windor Order Number: If the user types “2” in the “Order Number” field, and clicks the “View order information” button, the resulting HTTP request will look quite different however. The request line will look like this Pst /admin.php HTTP/2.1 Note that the parameter data is not included in the request line. The request headers will still include this entry (along with others): Host: www.mysite.com ‘The parameter data will be included in the request’s message body, and look like this: category=orderséorderid=2 POST request considerations POST requests are never cached POST requests do not remain in the browser histary POST requests cannot be bookmarked POST requests have no restrictions on data length It is possible to send data to a web application using both GET and POST simultancously. Here’s a slightly modified version of the previous example:

hidden” name="category” value-"orders” /> text" name-"orderid” />

The resulting HTTP request will contain the following information (among other entries): Request Line: POST /admin.php?action=print HTTP/1.1 Request Header: Host: www.mysite..com Message Body: category-orderssorderid=2 Confauring BIG-IP ASM v13 3413412 Comparing POST with GET \y ‘Chapter 3 - Web Application Concepts The following table compares the two HTTP methods, GET and POST. BACK button/Reload Bookmarked Encoding type History Restrictions on data length Restrictions on data type Security oP GET No issues, if page is refreshed from cache. Can be bookmarked application/x-www-form-urlencoded Parameters remain in browser history: Yes. When sending data, GET method adds the data to the URL and the length of the URL is limited (max length 2048 characters) ASCII characters only ‘Somewhat less secure than POST because data is sent as part of the URL, Should not include passwords or other sensitive information. Risks In Other Methods Post Data will be resubmitted. (The browser will generally alert the user that the data are about to be resubmitted and provide an option to cancel the resubmit.) Cannot be bookmarked application/x-www-form-urlencoded (or multiparvform-data Parameters are not saved in browser history No restrictions No restrictions. Binary data also allowed. Somewhat more secure than GET because parameters are not stored in browser history or in web server Some of the HTTP methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, OWASP documents the following vulnerabilit METHOD VULNERABILITY PUT This method allows a client to upload new files on the web server. An altacker can exploit it by uploading malicious files (e.g. an asp file that executes commands by invoking omd.exe), of by simply using the victim's server as a fle repository. DELETE ‘This method allows a client to delete a file on the web server. An attacker can exploit itas a very simple and direct way to deface a web site or to mount a DoS attack. CONNECT This method could allow a client to use the web server as a proxy. TRACE This method simply echoes back to the client whatever string has been sent to the ‘server, and is used mainly for debugging purposes. This method, originally assumed to be harmless, can be used to mount an attack known as Cross Site Tracing (XST). HEAD Ifa security constraint was set on “GET requests such that only authenticated users could access GET requests for a particular resource, the security constraint might be bypassed for the HEAD version. This could allow unauthorized blind submission of any privileged GET request. Ifa web application needs one or more of these vulnerable methods, usage is properly limited to trusted users and safe conditions. is important to check that their 342 Configuring BIG-IP ASM v13Chapter 3 - Web Application Concepts 313 Methods Enforcement on URLs [Atack Signalures Header Based Content ProfiesHTMLS Cro-Dowein Request Enforcement Meta Characters | Methods Enforcement | Ee ‘Overide policy towed methods Greate Custom Method vin Sey Pee Sop (oat en bed Theda) ce COMME (eso mare) | im _| Figure 5: Methods can be allowed or disallowed per URL (in Properties configuration section of the Allowed HTTP URL) In many applications, specific URLs require enforcement of different methods. In this example, we ean sce two different methods with different allow/disallowed permissions on.the- URL There is also an option to define a custom method, allowing more granularity in enforcement. HTTP request components: headers leaders are name/value pairs that appear in both request and response messages, after the first Fine. The name of the header is separated from the value by a single colon. Headers define the operating parameters of the web application such as encoding language, browser identification, and connection settings. HTTP headers can carry data used by applications and therefore should be considered a viable transport ‘mechanism for malicious code. ‘There are multiple headers, notably Host, Accept-Encoding, Cookie, and Connection. GET /browse.php?id-29 HTTP/1.1 Headers appear after the request line--> Referer: http: //auction.£5.com Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Nozilla/4.0 (compatible: MSTE 6.03) Host: auction. £5.com Connection: Keep-Alive Cookie: PHPAUCTION_SESSTON=2d3ei8bcef HTTP headers allow web clients and servers to negotiate multiple options concerning the transfer of data. Generally, the clicnt’s request includes what the client can do or would like to do, and the server"s response includes what the server has chosen to do. tis not an iterative process. HTTP headers add additional information to request and response messages. General headers are generic and used by both client and servers. Some example headers are shown in the tables below. Configuring BIG-IP ASM v13 34133-14 General Header Connection Date ‘Transfer Encoding Via ‘Chapter 3 - Web Application Concepts Purpose ‘Whether the client and server support using a single TCP connection to process multiple request-response pairs. Version 0.9 did not support this option; Version 1.0 defaulted to Connection: Close; and Version 17 defaults to Connection: Keep-Alive. Date and timestamp of when the HTTP message was created Informs the receiver what encoding was performed on the HTTP message in order for it tobe transported safely. = Means that this HTTP response went through a header ~ Request headers provide information to servers, such as what data type the client is willing to receive. Request Header Referer Host User Agent Accept Encoding 344 Purpose ‘Allows the client lo specify for a server where it came from, The header provides the address of the page where a user clicked on a link (or submitted a form). Provides the hostname (or IP) and optionally the port of the device the client is sending the request to. No headers are required in versions 0.9 and 1.0, and the Host header is the only header required in version 1.1. Tells the requested server the browser type making the request. Defines the kind of encoding the browser can receive Configuring BIG-IP ASM v13a a oO @ @ Chapter 3 — Web Application Concepts 315 Exam ig HTTP Responses An HTTP response message has the following general structure: ELEMENT CONTAINS EXAMPLE, Status line Protocol version HTTP/1.1 200,0K Status code = Headers Varies Date: Wed, 01 May 2013 18:19:41 GMT. Server: Apache Content-Encoding: gzip Content-Length: 2573 : timeout=5, max=100 Connection: Keep-Alive Content-Type: texvhiml Set-Cookie: PHPSESSID=d98ae41d312dbod44dd7644252630009 Message Body Response payload = (optional) (HTML, images, ‘ scripts, stylesheets, video, etc.) HTTP responses are generally composed of three sections. The first line includes the HTTP version and a response code; the second section includes any response headers; and the third section is the body of the response. ———- 0 HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Jan 2018 14:52:12 GMT Content-Type: image/png Content-Length: 1122 Connection: keep-alive LastModified: Sat, 16 Dec 2017 o3:47:01cmr — @ ETag: "1860¢1a-462-5606¢f84052bc" Accept-Ranges: bytes X-Content-Type-Options: nosniff Set-Cookie: BIGipServerab13web-app_hitp=! @ sme Figure 6: Response code, response headers, and response body ASM is typically configured to remove the Server header information in the HTTP response, thus not including any cutveniomeioeindegsgmsce Configuring BIG-IP ASM v13 3453-16 Chapter 3 - Web Application Concepts Response headers provide information about the payload of the HTTP message. Response Header Content-Type Content-Length Expires Last Modified Content-Encoding HTTP response status codes Purpose Describes the data types being sent in the message. Provides the length of the body. Indicates a time after which a resource may no longer be valid. Before expiration, caches may keep a copy of the response and retum it in response to subsequent requests. Expiration data should be verified. Date and time of the last changed to the entity body. ‘Specifies the format of a compressed resource, such as gzip. HTTP response codes arc 3-digit numbers that tell the client whether the request was fulfilled or not. The table below contains a brief description of each response code. Response Status Code 100 200 300 400 500 on 316 Purpose Informational (not supported by HTTP 1.0) ‘Successful to some degree. Redirection needed. Error seems to be in the client Error seems to be in the server Configuring BIG-IP ASM v13Chapter 3 - Web Application Concepts 3-17 Response headers contain the response date, size, type of file that the server is sending back to the client, and data about the server itself. Response Header Purpose Age How old the response is. Content-Type What data types (objects) the message body contains. Server ‘The type of server sending the response back to the client. By default, ASM removes the Server header. Exploiting the Document Object Model (_ D0) Web pages are built from many types of data including formatting information, images, and multi-media files. Traditional web pages are written in Hypertext Markup Language (HTML). HTML enables authors to specify links to other objects and pages, and also defines the structure and formatting of how the page is rendered in the browser that is retrieving it. Web browsers display their interpretation of HTML as a hierarchy of objects, called the Document Object Model. ‘As defined by the World Wide Web Consortium, “The Document Object Mode! (DOM) is a platform and language-noutral interface that allows programs and scripts to dynamically access and update the content, structure, and style of a document.” ‘Therein lies the threat: The DOM is vulnerable to scripts or other external tools which can manipulate ‘components of the document, such as a form field or other element of the site. Additionally, most web pages no longer consist only of static HTML. The introduction.of dynamic HTML, and numerous browser plug-ins such as Adobe Flash, RealPlayer, and others, have resulted in a proliferation of dynamic web pages which can be vulnerable to modification of the DOM, often in ways that are invisible to a legitimate end user. User input forms: free text input User input form elements allow for free-text input. Examples are comments, userid, and password ficlds. Even though HTML defines restrictions for various user input elements, they can all be altered and reconfigured using tools such as interceptor proxies. Configuring BIG-IP ASM v13 373-18 ‘Chapter 3 - Web Application Concepts Text fields defines an input field into which a user can enter characters:

First name:
Last name:

First name: ‘Last name: Figure 7: A rendered form When a field is given a value, this value will cventually be carried in a parameter name=value pair in the query string or post data of a request. ao B Ba ‘ Sig form lets are prdfine bythe server. Examples of static form elements ar drop-down mehus, radio buffons, and checkboxes, defines a radio button. Radio buttons let a user select one item out of a limited number of choices: Static form elements

Yes
No

radio” name="agree" valu Special form elements, such as hidden forms, are elements that would not be presented to the browser and would not be rendered for user interaction. A submit button sends form data to a server. defines a submit button, “The data is sent to the page specified in the form's action attribute. The file defined in the action attribute usually does something with the received input:

Search > "> 3-18 Configuring BIG-IP ASM v13Cowan y Chapter 3 - Web Application Concepts 319 How ASM Parses File Types, URLs, and Parameters ASM protects a web application by building a data structure model of the components, or objects, of a web application, and then enforcing the interactions between end users and the application itself, and the interaction between the components. ‘The file types used in any web application are usually a finite group that is tied to the technology used by the application. For example, ina NET application you are Tikely lo find file types such as .asp or aspx, gif, jpg, .doc, .pdf, .css and ,js. Unless the application changes its underlying technology, the file types will remain the same throughout the application lifecycle. Specific objects within a web application, such as file types, URLS, and parameters, can be enumerated by ‘ASM depending on the level of granularity you are secking to establish for securing your web application. In the following example, a flow for how ASM cvaluates HTTP requests can be scen, starting with the HTTP method: GET /search.php2name=StudentLéstatus=1 HTTP/1.1 Host: hackit.f5trn.com \r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept: text/html, application/xhtmltxml, application/xml;q~0.9\r\n Referer: hetp://172.16.200.10/search.php?q-data\r\n Accept-Encoding: gzip, deflate, \r\n Accept-Language: en-GB,en-US;q=0.8,en:q=0.6\r\n Accept-Charset: IS0-8859-1, utf-8:4-0.7, *:q4=0-3\r\n In line 1, ASM can verify HTTP compliance by verifying that the method is allowed. In lines two through 9, ASM can check if every line ends with \in in accordance with the expectéd operating system, and if ‘each header is valid and includes a valuc. In lines | and 6, ASM can enforce valid file types for the appli types might include jpeg, jpg, doc, docx, and .pdf. Additionally in lines 1 and 6, ASM can enforce a list of valid URLs (/scarch.php in this example), and can check for a list of valid parameter names (name and q_in this example). For cach parameter ASM can then enforce a maximum value length allowable by the web application. Finally, before sending the HTTP request to the web application, ASM can scan cach parameter, the URI and the headers for known attack patterns. oo a eo jon (php in this example.) But other Configuring BIG-IP ASM vi3 3-183-20 Chapter 3 - Web Application Concepts Using the Fiddler HTTP Proxy In the next lab, you will examine a freeware HTTP proxy tool called Fiddler to examine HTTP traffic between a client and a web application. Fiddler allows you to inspect all HTTP traffic, and generally “fiddle” with incoming or outgoing data. For example, if you are examining HTTP requests in a financial transaction, Fiddler ean pause any request and allow you to inspect and modify the request before sending it along. Fiddler is freeware and ‘can debug traffic from browsers such as Internet Explorer and Mozilla fox. jler's user interface lists HTTP sessions in the left section. By selecting an HTTP session, you can view its Statistics, or inspect different clements of the request as shown below. Cee ate Monee ee are Figure 8: The Fiddler user interface Fiddler is helpful in two ways: First, requests are instantly logged and displayed in summary. Second, the Inspector provides details for each request. Choose a session on the left, and then click the Inspector tab oon the right to view the contents of the request, 3-20 Configuring BIG-IP ASM v13= a BG Lab 3.1 - Fiddler and the Hack-it Auction Site i | a8 8 HEHEEEE & G& a a Lab Objectives © Familiarize yourself with Fiddler and the Hack-it auction site * View HTTP request and response traffic Estimated time for completion: 15 minutes Lab Requirements © Completion of Lab 2.1 Start Fiddler and adjust IP address filter Fiddler will display HTTP connection information between your browser and all IP addresses to which it cstablishes a connection. In order to make it easier to see only the connections between your browser and the auction site, configure Fiddler to filter and hide the management IP address of the BIG-IP so that it does not appear in the sessions panel. 1, Start Internet Explorer, and then start Fiddler. On the right-hand side of the Fiddler window, locate the sct of tabs, and then click the Filters tab. 3. Select the Use Filters checkbox, and then select Hide the following Hosts from the second drop- down menu. 4, Enter the management IP address of your BIG-IP as shown in the example below: Wuerees — Gesntieeeeaamerctee™ Gai) vets [Run Fierce now (Sow oy ihenettts =) Load Fitest. (inthe folong toss) Save Fikes. 192.168 X31 Help 5. Click the Actions buwton, and then select Run Filterset now.Viewing HTTP traffic using Fiddler 6. Connect to hitp://hackit.£5tm.com, 7. In Fiddler, locate the Web Sessions panel on the left side of the Fiddler window. 8, How many HTTP sessions are opened when you connect to the web application? o 9. Log on to the auction site using studentX for both username and password, and then complete a {ew tasks such as searching for and selling an item. oO 10. In Fiddler, in the Web Sessions panel, select a URL. for a specific session, 11. In Fiddler, in the pane! on the right, click the Inspectors tab. 12. Locate the Request and Response headers. 13. Can you view GET information for a request after logging in? 14, Can you view POST information for a request after selling an item? 15, View various HTTP headers including User-Agent, Host, and Cookie. a 16. Click on the Raw tab within the Response Headers tion. 17. View the HTML for this web application. Take a few minutes to explore the Hack-it auction site. 18, Exit Fiddler. Expected Results Afler completing this lab, you should be able to access Fiddler on your workstation and use it to view request and response transactions between your browser and the Hack-it auetion site. aChapter 4 - Web Application Vulnerabilities, 44 Chapter 4: Web Application Vulnerabilities Chapter Objectives After completing this chapter, you will be able to identify at least three common web application vulnerabilities, and describe how ASM can be used to mitigate them. A Taxonomy of Attacks: The Threat Landscape Asa Layer 7 web application firewall, ASM is uniquely effective at detecting and mitigating attacks that are crafted to abuse the HTTP protocol, the business logic of common applications and their underlying, architectures, and virtually any other activity aimed at the application side of web-based transactions. F5 researchers have noted that sophisticated attackers are targeting different parts of the entire environment, often simultancously, with increasing frequency. Therefore, itis helpful to place various threats in context to begin sccuring that environment. Types of Attacks Today's threat landscape consists of four classifiable types of attacks: Client-side, network, session- based, and application-side. Client-side attacks Client-side attacks are usually directed at the weakest link in the chain—the end user. Malware is a prevalent client-side attack. The term malware is short for “malicious software.” In most cases, users install malware without realizing it, often by downloading an attachment in an email, or by getting tricked into clicking a malicious link. The malware infects a device after it is installed and running. Today, many variations of malware ean survive a device reboot. Depending on the goals of the attacker, malware can gather sensitive data or gain unauthorized access to the device—or even other networked devices. Network attacks Network aitacks are typically blunt force methods intended to exhaust network resources or server capacity. In many cases, inducing a denial of service (DoS) by overwhelming system capacity is the goal of the attacker. A SYN flood is an example. The idea is to consume so many TCP connections that the server finally stops answering legitimate requests. This type of attack might hide inside legitimate traffic or illegal traffic. Other examples are SSL. floods and DNS UDP floods which can consume CPU and memory—anything to drain resources rapidly in ultimately useless computational cycl Session attacks The underlying concepts of a session attack is that an attacker is impersonating a legitimate user's connection to a server. HTTP transactions between a client and server can use multiple TCP connections. Consequently, the server requires a mechanism to track connections from each user after the user is authenticated, This mechanism is a session token, which is usually a character string of variable length. The token might be appended to the URL, it might appear in a cookic header, or in some other component of the HTTP transaction. By guessing or stealing the session token, an attacker can masquerade as a legitimate user and access the server. Configuring BIG-IP ASM v13 “142 Application attacks Many vulnerabilities in corporate IT’ infrastructure are based not on worms or viruses, and not on known application servers, but on vulnerabilities in the applications themselves. These eave corporate web infrastructures exposed to attacks such as cross-site scripting, code injection, and data tampering. Itis often these application vulnerabilities which attackers exploit to extract sensitive data from corporate databases, or to deface a corporate web presence. ous Mania ve Bote eA Manlatie ——Aagheaien Business stenere "owner ‘Soe cgyebcnters | “rlaie Ong abate ow ata os oS Netware ptt Boss sonst por Figure 1: Some attacks target the nolwork or the infrastructure itsoll. Other attacks target the application logic. What Elements of Application Delivery Are Targeted? Today's primary attack targets are user identities and applications because these are the gateway to data. How does anyone get access to data today? Most of the time, it’s through an application. And stolen user credentials give hackers an easy way to access applications and data—especially when users have weak or duplicate passwords for dozens of apps they use every day. Waar ee Ca Mot Ne) EONa Story eS elreuleh) Figure 2: The majority of attacks target user access and credentials or applications. 4-2 Configuring BIG-IP ASM v13Chapter 4 - Web Application Vulnerabilities. 43 Common Exploits Against Web Applications It is a good practice to frequently refer to the Open Web Application Security Project (OWASP) at ‘www.owasp.org for the latest developments in application security. The OWASP Top Ten is a powerful awareness document for web application security. The list is a living document representing a broad ‘consensus about what the most critical web application security flaws are. Here are some examples of recent OWASP Top 10 web application vulnerabilities: Injection attacks Broken authentication and session management Insccure direct object references Security misconfiguration Sensitive data exposure Missing function level access control Using known vulnerable components Unvalidated redirects and forwards Cross-site scripting (XSS) Cross-site request forgery (CSRF) ‘Through a browser, or using a free HTTP proxy tool, a hacker can use the smallest of bugs or backdoors to change an operation. Any application that interacts with end-users can be vulnerable to exploitation ‘There are various ways to categorize the security problems associated with the web application, including the systems affected by the attack, the type of attack, by a flaw in the web application allowing the attack, ‘or combination of them all. Broken Authentication and Session Management Authentication is the process of verifying that the identity of an individual or an entity is known. Although authentication is a critical aspect of application security, some authentication mechanisms can be exploited by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other similar functions. Most web applications rely on a combination of user name and 1D, variables known only by an individual, to verify identity during authentication. ‘Session Management mechanisms such as cookies, session IDs, and tokens enable a web application to remember all user requests throughout a transaction. Because HTTP requests do not store data, session 1Ds and tokens pass data between client and server during transactions. If these session IDs and tokens arc not properly protected, an attacker can hijack a session and assume a user's identity. Here is an example attack scenario from OWASP. An airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems’jsessionid=2P0OC2JSNDLPSKHCJUN2JV ?dest=Hawali Let’s assume that the application’s timcouts aren’t set properly. A customer uses a public computer to access the application, Instead of sclecting “logout” the user simply minimizes the browser tab and walks away. The attacker opens the same browser an fifteen minutes later—and that browscr is still authenticated. Configuring BIG-IP ASM v13 4-344 Chapter 4 - Web Application Vulnerabilities To ensure a web application is not vulnerable to broken authentication and session management attacks, the following strategies should be considered: = Passwords should be stored in an encrypted or hashed form Encrypt the entire login transaction * Enforce login page timeouts ASM mitigation techniques ASM protects against broken authentication and session management by: Enforcing a unique login page Enforcing login page timeouts Enabling application flow enforcement and dynamic parameter protection ‘Monitoring request attack patterns Using its own cookies to prevent session tampering Parameter tampering Parameter tampering can occur when a web application exposes a reference to an intemal object to the user. Examples of intemal objects are URLs, parameters, files, directories, hidden fields, and database keys. An attacker can modify the references to internal objects for access controls on the object. This activity can yield access to functionality that the web application developer didn’t intend to expose. Here is an example from OWASP in which a specific parameter — acct - is accessible to an attacker, hitp://example.com/applaccountinfo?acct=notmyacct ‘The attacker modifies the acct parameter in the browser to send an account number. If not properly verified, the attacker can access any user’s account, instead of only the intended customer's account. Parameter tampering can be done with cookies, form fields, HTTP headers, and query strings. Cookie manipulation can occur on persistent afid Hion-persistent cookies. Secure cookies can be modified by the client and sent to the web application. As discussed in Hidden Field Manipulation, form fields can be hidden, free form, or pre-selected. way, they can be manipulated by the user to submit arbitrary data. When a user accesses a link within a website or single application, they may be sending a GET HTTP request. Most of these requests have a query string with parameters identical to forms. ASM mitigation techniques ASM mitigates parameter tampering attacks by: * Checking for allowed characters in the parameter name and value * Checking for malicious pattems in user input parameters * Verifying query string and data request lengths. 44 Configuring BIG-IP ASM v13.Chapter 4 — Web Application Vulnerabil 45 Cookie Tampering Cookies are strings of text in the HTTP header sent by a web server in response to the request of a web browser. The cookie is then sent back unchanged by the browser cach time it accesses that server. The ‘main purposes of cookies arc: Differentiating between users Authenticating Maintaining personalized information about users Tracking Presenting the user with a stateful experience in which an application “remembers” one or more preceding events in a sequence of interactions with a user. Consider a web application you log in to once. You can then move through many pages quickly and casily—without having to re-authenticate or log in cach new area you visit. Session cookies enable the web application you are visiting to keep track of your navigation so you don't get asked for the same information you've already provided. Session cookies are temporary files, which are delcted when you close the browser and thereby end the session. ‘A.common example of this functionality is the shopping cart feature of any e-commerce site. When you visit one page of a catalog and add an item to your cart, the session cookie remembers the item so your cart will have it when you are ready to check out. Persistent cookies remain on your hard drive until you delete them or they expire. L Cookies are use a identity forthe server-side components of an application, With any response, a web server can send a "Set Cookic:" command and provide a string (that is, a cookie). Once a cookic is set, all subsequent requests will send that cookie to the web server. Cookies can be analyzed, modified and ‘manipulated by any client-side logic. Cookie manipulation for the purpose of session hijacking is an attack which alters or copies the value of a cookie on the client side prior to a request to the scrver. By editing the request, the attacker enters the uscr’s cookie into their own ccyuest. The attacker can now log in as a valid user by stealing the valid tuscr’s session cookic. Attackers that compromise the session cookie can defeat authentication rest and assume the other user's identity. ions Malicious users could also change cookies by either using an interception proxy or dircetly modifying a file on a hard drive to falsify identity, bypassing authentication/authorization mechanisms. ASM mitigation techniques 2 ASM verifies that domain cookies sent from ‘the web server to the clicnt are not altered. ASM inserts its. own cookie int own cookie into HTTP poses to clicnt request quests, and can validate domain cookies and detect session expiration. Seplistion. Audifonally, ASM ca ‘can prevent session hijacking by assigning a Device [D to cach client which represents an array of fingerprinting and identity checks which are sae to every client. Sensitive Data Exposure Sensitive data can include eredit cards, user IDs, social security or social identification numbers, and authenticat Ifa web application does not protect sensitive data, attackers can steal or modify it to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with a client, Configuring BIG-IP ASM v13 4546 Chapter 4 - Web Application Vulnerabilities ASM mitigation techniques ASM can mask sensitive user input, such as a password or a credit card number, in a request. The contents oT sensitive parameters are not visible in ASM logs or in the user interface. Masking can be done at the parameter level, or masking credit card data can be done globally. Forceful Browsing Vulnerabilities in access control settings can result in users being able to access URLS or parameters that are meant to be hidden or restricted. This presents a sccurity concem as URLS or other resources not designed for public and authorized use are frequently less protected than resources intended for public and authorized access. Forceful browsing refers.to directly accessing a web page that should not be avai users, or a page o which a link exists from an unauthorized hyperlink. In other words, directly to parts of a web application which they should not beable 1» access, Web applications that are ‘not properly configured allow malicious users to directly access URLs that could contain sensitive information. ‘The popularization of the Google search engine has made this problem acute, since the Google technology can often find (and create public links to) interior pages of web sites which should only be accessed after passing through authentication pages. Users who navigate by using bookmarked pages present a similar problem. A simple example of forceful browsing might just involve skipping over a registration page to gct to the pages behind it, For instance, a user might see the URL... http:/www.website.com/public and simply make an educated guess about where the non-public part of the web site is, entering http:/www.website. com/private and thereby bypass authentication or login screens which were supposed to segregate that portion of the application. To ensure a web application is not vulnerable to missing function level access control attacks, the following strategies should be considered: «Enforce login pages * Enforce parameter values by using dynamic parameters * Deploy authentication and authorization policies that are role based + Enforcement mechanisms should deny all access, requiring explicit permissions of certain users ASM mitigation techniques ASM can enforce allowed file types and URLs, and accurate parameter values and login pages. Id Manipulatiot in many applications, hidden HTML form fields are used to hold system passwords or merchandise pricing. The origi nt of hidden ficlds was to keep t "sessions — hidden fields and cookies arc two mechanisms available to save state of the user. lidden 46 Configuring BIG-IP ASM v13