Merge pull request #126 from f5devcentral/develop

Appworld Pull to Master

docs/waf2025/labinfo/labinfo.rst

@@ -0,0 +1,44 @@
+Lab Environment & Topology
+===========================================================
+
+..  |lab-diag| image:: ../images/waf111_lab_diagram.png
+
+Environment
+-----------
+
+**External Jump Server**
+
+WAF Policy Assessment Tool:
+
+* `F5 WAF Tester <https://github.com/f5devcentral/f5-waf-tester>`_ - WAF Assessment Tool
+
+**Internal LAMP Server**
+
+Docker Containers:
+
+* Juice Shop - Extremely Vulnerable Web Application
+* DVGA - Vulnerable GraphQL Application
+
+**F5 BIG-IP**
+
+* Version 17.1.2 Build 0.0.8
+* Best Bundle (LTM, AFM, APM, ASM, DNS)
+
+Lab Topology
+------------
+
+The network topology implemented for this lab is very simple. The following
+components have been included in your lab environment:
+
+-  1 x F5 BIG-IP VE (v17.1) licenced with Best Bundle
+    - external interface (external subnet)
+    - management interface (management subnet)
+    - internal interface (internal subnet)
+-  1 x Ubuntu Linux 18.04 External Jump Server
+    - interface connected to external subnet
+-  1 x Ubuntu Linux 18.04 Internal LAMP Server
+    - interface connected to internal subnet
+
+A network diagram of the lab:
+
+|lab-diag|

docs/waf2025/module1/lab1.rst

@@ -0,0 +1,63 @@
+Lab 1 – Introduction to the Juice Shop
+--------------------------------------
+
+Objective
+~~~~~~~~~
+
+- Navigate the site
+
+- Create an account
+
+- Make a purchase
+
+
+Task – Navigate the Juice Shop Site
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To access the site navigating to the ``Components`` tab and using the ``Access`` dropdown in the ``F5-AdvWAF-v17.1`` box under the ``F5 Products`` column click on the ``JUICESHOP_VS`` option.
+
+    .. image:: ../images/udf_juice_shop_link.png
+
+A new browser tab should pop open and the Juice Shop should load
+
+    .. image:: ../images/udf_juice_shop.png
+
+
+Task – Create an Account on the Juice Shop Site
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You will notice that as you click on each product you can't add the product to a basket. You will need to create an account to add products to the basket and make a purchase. Please use fake information for the login credentials. Click on the ``Account`` link and the ``Login`` in the top right of the page.
+
+    .. image:: ../images/udf_juice_shop_account.png
+
+Then click on the ``Not yet a customer`` link
+
+    .. image:: ../images/udf_juice_shop_signup.png
+
+Complete the registration and log in with your new username and password.
+
+
+Task – Make a Purchase
+~~~~~~~~~~~~~~~~~~~~~~
+
+Click on any product and add it to you basket then click on ``Your Basket`` in the top right of the page.
+
+    .. image:: ../images/juice_shop_basket.png
+
+Click ``Checkout`` and create a new shipping address making sure to use fake information again.
+
+Select the new address and click the ``Continue`` button.
+
+    .. image:: ../images/juice_shop_address.png
+
+Choose any of the delivery options and click the ``Continue`` button.
+
+    .. image:: ../images/juice_shop_delivery.png
+
+Add a new (fake) credit card (use ``1111111111111111`` for the credit card number), select it and click the ``Continue`` button.
+
+    .. image:: ../images/juice_shop_cc.png
+
+Then click ``Place your order and pay``
+
+    .. image:: ../images/juice_shop_pay.png    

docs/waf2025/module1/lab2.rst

@@ -0,0 +1,83 @@
+Lab 2 – Hacking the Juice Shop
+------------------------------
+
+Objective
+~~~~~~~~~
+
+- Demonstrate the vulnerabilities in the Juice Shop web application.
+
+- Demonstrate a cross site scripting (XSS) vulnerability.
+
+- Demonstrate a SQL injection vulnerability.
+
+- Demonstrate a privilege escalation vulnerability.
+
+- Demonstrate an unauthorized file access.
+
+Task – Demonstrate a cross site scripting (XSS) vulnerability
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This hack we will cause a simple reflected XSS attack on the Juice Shop application by compromising a parameter value in the URL. First go to **Account** in the upper right corner, then to **Orders and Payment**, select **Order History**.
+
+.. image:: ../images/mod1lab2-xss-orderhistory.png
+
+Click on the truck. This will take you to an expected delivery page with search results. Carefully look at the URI and notice that it is not encoded or using a trusted html link for the parameter value. 
+
+
+.. image:: ../images/mod1lab2-xss-uricompare.png
+
+Paste the following code after **yourhost.access.udf.f5.com/#/track-result?id=** in the URI. 
+
+.. code-block:: none
+    
+    <iframe src="javascript:alert(`data all over this screen that wasnt planned`)">
+
+The full URL will look like this after encoding is done by the browser. Dont paste this code below into the browser. This is meant for reference since you will have a different host. 
+
+.. code-block:: none
+    
+    https://ea06dc66-bfd7-4aa2-a99c-72137fd3ea1a.access.udf.f5.com/#/track-result?id=%3Ciframe%20src%3D%22javascript:alert(%60data%20all%20over%20this%20screen%20that%20wasnt%20planned%60)%22%3E
+
+
+
+.. image:: ../images/mod1lab2-xss-uricompare2.png
+
+Task – Demonstrate a SQL injection vulnerability
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Paste the following path in your browser's location bar after the FQDN of the Juice Shop:
+
+
+.. code-block:: none
+   
+    /rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--
+
+The location bar should look something like (don't copy this since your FQDN will be different):
+
+.. code-block:: none
+
+    https://ba3eff45-2f23-49ab-8122-2e3bdc1ed9ad.access.udf.f5.com/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--
+
+The result should be a list of all the users in the database including their hashed passwords.
+
+.. image:: ../images/juice_shop_users.png
+
+
+Task - Demonstrate a privilege escalation vulnerability
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use a rainbow lookup table to expose the admin user's password by navigating to https://crackstation.net/ and entering the hash
+
+
+.. image:: ../images/juice_shop_crackstation.png
+
+
+Task - Demonstrate an unauthorized file access vulnerability
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Navigate to /encryptionkeys to expose an unwanted directory listing
+
+.. image:: ../images/juice_shop_encryptionkeys.png
+
+Click on the file ``premium.key`` and attempt to download it.
+
+The files in this directory can be downloaded. A good WAF policy should block access to sensitive file types.

docs/waf2025/module1/module1.rst

@@ -0,0 +1,10 @@
+Module 1 - Intro and Hacking the Juice Shop Web Application
+===========================================================
+
+In this module you will get to know the Juice Shop web Application and use your web browser to launch successful attacks.
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   lab*

docs/waf2025/module2/lab1.rst

@@ -0,0 +1,83 @@
+Lab 1 - Use the Secure Guided Configuration to Build a WAF Policy
+------------------------------------------------------------------------
+Objective
+~~~~~~~~~~~~~~~~
+
+- Log into the BIG-IP
+
+- Create a blocking policy using the guided configuration utiliy
+
+- Apply the security policy to an existing virtual server
+
+- Apply a security logging profile to the virtiual server
+
+Create security policy using the Guided Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. On your UDF page, go to your BIG-IP component, click the **Access** drop down menu and choose **TMUI** (traffic management user interface).  This is a link to your configuration utility.  
+
+    .. image:: ../images/bigiplogin.png
+
+#. Login to the BIG-IP with the ever so secure credentails of Username  ``admin`` and Password ``f5demos4u!``.  
+
+#. On the Main tab to your left, select **Security > Guided Configuration**. This opens the Guided Configuration screen.
+
+    .. image:: ../images/webappbutton.png
+
+#. Click on the **Web Application Protection** template button.
+
+    .. image:: ../images/webapptemplate.png
+
+#. The guided configuration now provides an overview of what will be configured. Click the  **Next** button.
+
+#. Give your configuration the name ``juice_shop_waf`` this will also name your security policy.
+
+#. Under **Select Enforcement Mode** select **Blocking**
+
+    .. Note:: Typically you would deploy a new policy in a transparent mode so you can observe the logs before blocking to help avoid false positives.  But come on....this is a lab.  We are going to block stuff!  
+
+#. Click on **Show Advanced Settings** button in the upper right hand corner of your page.
+
+    .. image:: ../images/advanced2.png
+
+#. Under **Server Technologies** add the following to the selected window.  Adding these technologies will assist in building a more precise policy.
+
+    - AngularJS
+    - Express.js
+    - JavaScript
+    - JQuery
+    - MongoDB
+    - Node.js
+    - SQLite
+
+#. Press the **Save & Next** Button below.  
+
+    .. image:: ../images/servertechnologies.png
+
+    .. Note:: We are adding these technologies since we know what the application is using.  There is also a feature that can be turned on that can allow the policy to learn these technologies.
+
+#. Check off **Assign Policy to Virtual Server**, under **Virtual Server** choose **Use Existing**, and move the Juice_Shop_VS to the selected window.  Press **Save & Next**
+
+    .. image:: ../images/addvs1.png
+
+#. The next page will summarize the objects and policy configuration.  Review, and take note that you can also go back and edit if required.  When done click **Deploy** at the bottom of the screen.  It will take a few moments to complete the policy build.
+
+    .. image:: ../images/ready_to_deploy.png
+
+#. Click Finish on the next screen.
+
+#.  After the policy is created, we will want to apply a logging profile to our new security policy.
+
+    - Go to **Securirty -> Overview -> Summary**, and the policy you just created should be listed. 
+    - Place a check to the left of the **Virtual Server** name that your new security policy is applied to.  
+    - Now click the blue **Attach** button above and select **Logging Profile**
+
+    .. image:: ../images/attachlogging1.png
+
+    - Select **Log illegal requests** and press the other **Attach** button below.
+
+    .. image:: ../images/attachlogging2.png
+
+    - You will now see the logging profile is added under the Application Security column.  
+
+#.  You now have an active application security policy that is learning, staging, and logging protections against the ``Juice_Shop`` virtual server.  

docs/waf2025/module2/lab2.rst

@@ -0,0 +1,59 @@
+Lab 2 – Discover the OWASP Dashboard
+-------------------------------------------------------
+Objective
+~~~~~~~~~~~~~~~~
+
+**BIG-IP 17.1 includes updates to the OWASP Compliance Dashboard bringing the list of controls in line with the 2021 top 10 list.**
+
+
+- Open up and view the OWASP Compliance Dashboard
+
+- Apply some basic attack signatures using the Dashboard
+
+- Disable the staging of the security policy
+
+Discover and learn to operate the Dashboard
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. On the Main tab, click **Security -> Overview -> OWASP Compliance**. This opens the OWASP Dashboard.  Highlight your new policy ``juice_shop_waf``.  You will see that your score is 0/10 for securing against the OWASP top 10.  Though you will see partial % scores for some.
+    .. image:: ../images/list.png
+
+#. Click on the expand arrow next to **A3 Injection**.  This will display the attack signature types and required protections you need to secure yourself against this risk.
+
+    .. image:: ../images/A3list.png
+
+#. Notice that each signature type shows the number of signatures in **Staging/Enforced/Total**.  Just because signatures are enabled, it does not mean they are enforced. Now let's enforce some signatures.
+
+#. On that same screen in the OWASP Dashboard, hover your pointer over **SQL-Injection** and select the **checkmark**.  Also hover over **Server Side Code Injection** and select the **checkmark**.  These checkmarks apply the protections to the policy.  Notice your potential A1 Injection protection % increased.
+
+    .. Note::  In the dashboard, if you see the checkmark available, it will enforce any protections required to be compliant for that vector.
+
+    .. image:: ../images/A3checked.png
+
+#. Press the blue **Review & Update** button below.  On the pop up window press the blue **Save & Apply Policy** button.  
+
+    .. Note:: While all attack signatures in this policy are in staging, we just used the OWASP dashboard to directly enforce (skip staging) those 2 categories.  This would be a typical approach to secure an application immediatly against a certain catagory of injection attacks.  These attack types are now blocked, while staging (learning and alarming) the rest of the attack categories.  
+
+#. Now for the sake of expediting the policy blocking malicious traffic, we will turn off signature staging. This will simulate a user waiting out the default 7 days of staging your attack signatures.
+
+    - Go to **Security -> Application Security -> Policy Building -> Learning and Blocking Settings**
+    - Make sure you select the **juice_shop_waf** policy at the top.
+        .. image:: ../images/pol_build.png
+    - Expand **Attack Signatures**
+    - Uncheck the box next to **Enable Signature Staging**
+    - Press **Save** at the bottom or the top right of that screen.
+    - Press **Apply Policy** button at the top right corner of your screen
+
+    .. Note:: For those of you looking for the attack signature list, you may have now noticed the location of attack signatures has changed in the most recent release. 
+
+    .. image:: ../images/disablestagingv2.png
+
+#. Go back to your OWASP Dashboard **Security -> Overview -> OWASP Compliance**.  Select your policy ``juice_shop_waf``..  You can now see a lot more OWASP protections now.
+
+    .. image:: ../images/list_dis_stage.png
+
+    .. Note:: When we disabled the staging, we represented a user waiting out the enforcement readiness period.  We basically just time traveled to the future!!  https://youtu.be/8qrriKcwvlY
+
+#. Congratulations!  You now have a protected app, and you have visibility into how well you are protected against the OWASP Top 10.  In the following labs we will work to get you even more protection against the OWASP Top 10.
+
+    .. Note:: While working towards the goal of applying more security, each use-case is different and the dashboard may not always be at 100% in all categories.  The dashboard gives you a visual guide and documentation of progress towards OWASP Compliance with each technical security policy change as well as corporate governance.