Professional Documents
Culture Documents
FYI: Answer to exercise guide “questions” are at the end of each lesson.
ASM Lesson 3 – Exercise – Use Policy Building with Trusted and Untrusted Requests
Task 3
• It’s possible that the first time they run the iMacro ASM won’t fully populate the Parameters List page.
They may not see two Login, Submit, id, password, and username parameters. If that happens, have
them rerun the macro from a new private Firefox window and then check again.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 1
Task 3
• The purpose of this this task is to show how a security policy in automatic mode will change attribute
values and enforce entities automatically. Students are using the lowered learning values and the
iMacro to simulate a lot of web application traffic over time.
Task 4
• After the exercise, be sure to confirm with your students that they understand why the cross-site
scripting attack against the name parameter was blocked, but the initial SQL injection attack against
the id parameter wasn’t blocked. This is one of the most important “summaries” to get from this
hands-on exercise.
Task 2
• When the exercise guide states “Click the DVWA bookmark, then..”, they need to click the bookmark
first to clear out the previous signature violation.
Task 3
• If a student manually types the custom signature name, it’s likely they’ll miss the “.” between the % and
Chumbawamba. While this won’t prevent the exercise from working as written, it will make it hard to
locate the signature when they’re adding it to the signature set. However, if they manually type
chumbawamba for the rule and they make a typo, the rest of the task will not work as written.
The recommendation is for them to use the copy and paste guide in the Documents directory.
Task 4
• In this task they are presented with a CAPTCHA challenge, and then they view the corresponding event
log entry. However, if they either a) don’t enter the CAPTCHA challenge, or b) don’t enter it fast enough,
then there won’t be an event lot entry for this. ASM only tracks an event log entry when a user is
presented with a CAPTCHA challenge and successfully enters the challenge in a relatively short amount
of time (10 – 15 seconds). If the student has trouble seeing the event log entry, have then run the brute
force macro again, and immediately enter a successful CAPTCHA challenge, and then attempt to view
the log entry. It should be there.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 2
ASM Lesson 7 – Exercise – Use CSRF and Parameter Tampering Protection, and Geolocation
Enforcement
Task 1
• This exercise requires them to use Internet Explorer (the bookmarks aren’t in Chrome or Firefox).
It also requires them to use two tabs in Internet Explorer to see the CSRF attack succeed.
Task 3 and 4
• Sometimes Burp Suite doesn’t display the correct details after clicking the Submit button on
the DVWA page. If that happens, simply turn Intercept off again, reset the DVWA page to
the XSS reflected page, then turn Intercept back on and try it again.
Task 7
• Because the ASM report data takes up to 5 minutes to display, remind the students that they should
start a break when they’re prompted in the exercise guide.
If Time Permits
• If the SQL injection attack isn’t blocked, it’s likely that the student didn’t select to place the child policy
in Blocking mode when they created it.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 3
Task 2
• When creating the login page element for this exercise, we don’t include the string that should not
appear in the response. That’s because we’re only looking for successful logins for this exercise; we’re
not concerned about failed logins.
Task 3
• The workflow in this task is: after the students set the username threshold to 10, they then log in and
submit 5 violations. When they examine the blocked log entries they should see that they were blocked
simply for signature violations. However, once they’ve submitted more than 10 violations, they should
see that the most recent requests were blocked due to access from disallowed user.
Task 2
• At the end of the task they disable ASM Cookie Hijacking protection. This is so they can see what
happens when this feature is disabled at the beginning of task 4.
Task 4
• For this task to work, they must see a second ASM cookie that begins with TSPD_101. If they don’t see
this cookie after they re-run the tail command, they should reload the page a few more times using
Ctrl+F5, then close the page, and then open a new InPrivate Browsing window and try again.
Task 3
• It’s very important to re-iterate that after applying the bot defense profile that there are no longer
event log entries. This illustrates that all bot attack traffic is blocked before it reaches the ASM security
policy.
Task 5
• In this task, students access the web site from the Traffic Generator desktop. This is simply to illustrate
the client-side integrity defense only blocks requests from the source IP of the DoS attack. Other source
IP addresses can continue to access the web application.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 4
Task 6
• Because the ASM report data takes up to 5 minutes to display, remind the students that they should
start a break when they’re prompted in the exercise guide.
ASM Lesson 13 – Exercise – Use Distributed Brute Force and Credential Stuffing Protection
Task 1
• It’s very helpful if students have already performed the exercises for source-based brute force
protection from ASM lesson 6.
• In these exercises students will use Sentry MBA to launch the attacks instead of using a Firefox iMacro.
Task 2
• Directly after students finish creating the new security policy, they open a new tab and click
the Hack Login bookmark. This is simply so that the policy builder will add the /user/login URL to the
allowed URLs list.
• The purpose of task 2 is to show that source-based brute force protection is sufficient when the source
of the attack is coming from a single IP address. In the second part of the task they use an iRule that will
force every request to come from a random IP address, which will cause the source-based brute force
protection.
Task 3
• Students use Chrome to access the Hackazon login page to show that during a distributed brute force
attack, all users will be presented with the CAPTCHA challenge.
Task 2
• It will take several minutes to fully generate the baseline. Remind the students that they should start a
break when they’re prompted in the exercise guide.
• It’s very important that students do not move on to task 3 until they have fully established their
baseline.
Task 3
• It’s possible that when students are refreshing the dynamic signatures page that the signatures will
disappear before they are able to approve them. That is not a problem; the rest of the exercise will work
as written.
• Students need to let the attack run for a few minutes to ensure that the source IP addresses get added
to the bad actor list.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 5
• Ensure the students have performed the steps at the end of the exercise before they move on to the
next exercise.
PBC – ASM / AWAF Full Course – Instructor Notes for Hands-on Exercises Page 6