Ads 468x60px

17 de septiembre de 2018

Windows Buffer Overflow Example



I’m learning these days how to exploit Buffer Overflow Vulnerabilities and how to find this kind of vulnerabilities. I think the best way to learn about Buffer Overflow is exploiting these vulnerabilities in a laboratory by ourself. Therefore, I’ve installed a vulnerable server in a Windows machine along with Immunity Debugger and Mona tools. I’ve also installed a Kali Linux machine, which has been the attacker machine. This is the laboratory I’ve deployed to test a simple buffer overflow vulnerability that you can check in the next video.


Firstly, I've scanned the vulnerable server with the Nmap tool to know whether POP3 service is open. I’ve also tested a simple script to send 3000 ‘A’s to the vulnerable server. We can see the program crashes and ESP registry contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. Once I’ve controlled the EIP registry, we have to know which bytes cause problems within the vulnerable server such as truncation with bad characters \x00\x0a\x0d. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Windows reverse shell.

Regards my friends. This has been an amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

10 de septiembre de 2018

Buffer Overflow Attack



I remember when I was at University and I studied the “Computer Introduction” and “Operating Systems” subjects. I learnt about registers and how computers use them. I learnt about assembly language. I learnt about Little-Endian and Big-Endian. When I was studying these subjects, I just wanted to pass my exams. However, I realise this knowledge is useful to discover vulnerabilities. It’s also useful to understand attacks such as Buffer Overflow attacks. These knowledge which I learnt 14 years ago is still useful and it’s the basis of new vulnerabilities and attacks.

If we want to understand how Buffer Overflow attacks work, firstly, we have to understand how the memory is segmented and organized, secondly, why the registers are used and what they are used for, lastly, how attackers take advantages of Buffer Overflow vulnerabilities to take control of computers. If we have these knowledge, we will be ready to discover this kind of vulnerabilities and we will also be ready to develop exploits. However, this is not easy because there are different CPU architectures to take into account and there are increasingly security protections such as ASLR or DEP.


The memory model for an x86 Processor is segmented and organised from higher address to the lower address where the stack is at the top of the memory and the program code is at the bottom of the memory. On the x86-32bit architecture there are 8 general purpose registers that are used to store data and address that point to other positions in memory. The most important registers for Buffer Overflow attacks are ESP, EBP and EIP. The first one, ESP, tells us where on the stack we are, thus, the ESP register always mark the top of the stack. The second one, EBP, points to the base address of the stack. Finally, the EIP register contains the address of the next instruction to read on the program, thus, points always to the “Program Code” memory segment.


When we are developing applications, we can use functions like strcpy, gets, scanf, and others. If we call these functions without previously limiting the buffer, we can allow the program writes out of the buffer. For instance, if the parameter value is higher than the memory buffer space, the EIP register could be overwritten by the parameter value. Obviously, the program will crash and it will stop because the CPU doesn’t know where is the next instruction to read on the program.


What an attacker does to exploit a Buffer Overflow vulnerability? Actually, the attacker writes the address of a malicious code in the EIP section. In other words, the attacker overflows the buffer to write into the EIP section the address which points to the exploit.

 
However, a Buffer Overflow attack is not so simple. There are some problems. First, we don’t really know where the address of the EIP register is located. Second, we have to capture the ESP value when the buffer overflow exception occur. Third, there are some values that could cause a problem if the address of ESP contains one of this bad characters. Of course, these problems can be resolved. The first one can be resolved sending a unique pattern of characters to find the offset position in the original string. The second one can be resolved using any Disassembler/Debugger. The last problem can be resolved sending all the characters (from 0x00 to 0xFF) and monitor manually with a Disassembler/Debugger thus when a bad character is sent, the string sent is truncated just before the bad character revealing one of the bad characters

Regards my friends. Maybe, this is a very technical post. I've obviated many things. I’ll try making a video.

3 de septiembre de 2018

I’ve been reading ...



I got back from holiday. This is my first post of this new season. I want to start writing about reading books. Six years ago, I opened this blog where I write weekly and I think writing is important to organize ideas and improve writing skills. However, today, I want to write about reading books. I think it’s the best for learning new techniques, concepts, ideas. It’s the best way to get knowledge from others. Therefore, I’m going to tell you what books I’ve been reading during this summer. I’m sorry, none of them are tech books.

At the beginning of the summer, I read “Aprendiendo de los mejores” by Francisco Alcaide. It’s a book where Francisco has written sentences and comments from important people such as Steve Jobs, Bill Gates or Amancio Ortega, among others. We can read their lifestyles and their thoughts to discover that the patience, persistence and discipline have been their abilities to be successful. I think, this is an excellent book for getting motivation because you can easily realise that success is built step by step and happiness is a feeling that it should be throughout the process.


I’ve also read “Thinking, fast and slow” by Daniel Kahneman this summer. This is a book to understand how the mind works. He explains that human beings have two types of minds. A mind which is fast, intuitive, and emotional. It is called system 1. This system helps us to make decisions faster based in intuition which, sometimes, could be helpful and beneficial but it could also be harmful because there are some things which should be thought slowly. We use the system 1 while we are walking, driving the car or even speaking. The system 1 is used for routine activities. On the other hand, we also have a mind which is slower, more deliberative, and more logical. It is called system 2. This system helps us to make logical decisions based in arguments which is useful often to make the right decision. However, this system is slower because it requests lots of mind efforts and human beings don’t like to make efforts by nature thus we prefer to use system 1 instead of system 2 most of the time. I’m using system 2 right now to write in English language and it’s also used for maths calculations or learning new skills.


The last book that I hope to finish this week is “Factfulness” by Hans Rosling. This is a book where we can see the progress of the world. We can see most countries are getting better. Most people around the world live better than before. Hans Rosling show lots of data sets from the United Nations (UN) where we can see that, although there are still countries which live in poverty, most countries are making progress in health, democracy and human rights.


These are the books I’ve been reading for this summer. I recommend you these books. The first one to be motivated. The second one to understand how the mind works when we make decisions. The last one to know that things are better than we think.

I really love reading. Quietly. Reading in my room. Nobody disturbs me. I think it’s the best way to get knowledge from others. I hope keep reading for a long time.

Regards my friends. I hope these books are interesting for you. Keep reading.

30 de julio de 2018

Six years ago ...



Writing is too difficult. We have to think deeply to know what we want to say. We have to organize our thoughts and we have to decide how many paragraph we are going to write about something. I have already been writing for six years and it is still difficult for me. I have to recognize writing this post is easier than the first one but words and sentences are still difficult to find on my head to write what I want to say. This was the aim of creating this blog. Writing, writing and writing to improve my writing skill because it was too difficult for me when I was studying English language and I had to take the writing exam.

Six years ago I decided to write about tech things. Particularly, I decided to write about security and networks. Since then, I write weekly about what I’m learning, what I’m reading or what I’m doing in my job. This is going to be my last post before going on holiday thus I want to write about what I have been doing in the last year which has been full of experiences and technologies.

This year, I’ve learnt new technologies such as AWS Cloud and Web Application Firewall where I created my virtual Data Center in the Amazon Web Services with AWS Elastic Load Balancing, AWS Shield & AWS WAF and Amazon CloudFront. With regard to WAF, I deployed several F5 BIG-IP WAF where I learnt clearly the difference between WAF vs IPS and I ended up getting F5 BIG-IP ASM Certified Technology Specialist. In fact, I had to deploy F5 BIG-IP DNS for Data Center Load Balancing as well.

What has been demanding, but delighted at the same time, has been the Ethical Hacking Course and the Security courses on Networks and Systems where my students learnt how to create a backdoor for Android systems, make their own malicious WhatsApp as well as making app safer with HTTP Security Policy. It was demanding because I was also studying French language at Official School of Languages and I had to do my homework such as the Video Selfie in French Language or talking about Sophie Germain. However, it was delighted because I learnt a lot about security and I passed the A2 level in French Language.

In the meantime, I’ve been reading about security, economics and psychologist such as No Place to Hide and Thinking, Fast and Slow. I’ve been also studying about Computer Forensics and I’ve had time to go to the ForoCIBER 2018 where I resolved the CyberSecurity Challenge.

An overview about the most widely read posts in the last six years:

Posts

With regard about from where the blog is visited, we can see the statistics:

Posts by countries

Last but not less important, I would like to say thanks who read this blog and support me because they are the main reason why I have already written 292 posts with almost 225000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

23 de julio de 2018

Risk assessments for GDPR compliance




When I was studying for CISA and CISM certifications, I read a lot about Business Impact Analysis and the Risk Management Process. That was cool because Ariadnex was ISO 27001 compliance and I had to help them to be ready compliance with this kind of processes. Today, we have also to be GDPR compliance where all EU citizens have cyber rights from the new GDPR. This is a good opportunity for reinforce my knowledge about risk assessments because it is essential for the new regulation.

All businesses have to comply with GDPR because most of them process personal data of its employees for salaries, benefits and social security. Most of them have also a recruitment process or they evaluate their employees. There are also companies which they store and process lots of personal data for advertising campaigns or they process sensitive data as the health sector does. Therefore, there is personal data processing everywhere and these businesses have to comply with the new regulation.

The first step for compliance is to know what personal data the company is processing because we’ll have to define and design the processing operation of personal data as well as the processing purpose. Once this is done, we can use tools such as Facilita which tell us what we have to do with personal data processing. If we don’t have too much personal data and the risk level is low, maybe, we only have to do some paper work and buy some tech stuff.

Workflow for GDPR compliance

However, if we have too much personal data or sensitive data, we should evaluate a proposal to identify potential effects on individuals’ privacy and personal data. Therefore, we have to know if a basic risk assessment is enough for the company or it will be necessary a Data Protection Impact Assessment (DPIA), which is an exhaustive process known as privacy by design where projects are designed with data protection in mind from the beginning.

If the company doesn’t have high risk personal data processing, we’ll have to do a basic risk assessment. This risk assessment will have to take into account the loss of integrity, availability and confidentiality for personal data protection and it will also have to take into account rights and freedoms of individuals. However, this risk assessment shouldn’t be a exhaustive risk assessment but a essential one where only critical risks should be considered such as unauthorized access, unintentional loss or lack of procedures.

Finally, if the company has high risk personal data processing, we’ll have to do an exhaustive risk assessment through the DPIA process where we evaluate impact and the threat occurrence probability of risks to know the level of risk of each personal data processing activity. I know, it is a demanding work but mandatory for GDPR compliance.

Regards my friends and remember protecting your data!!

16 de julio de 2018

A2 level in French language



Last summer, I wrote about French language A1 level passed because I started learning a new language, French language, at Official School of Languages and I passed the A1 level exam. These were my beginnings in French language, although I had already studied some of French at High School. As a result, my wishes for this year 2018 was keep studying French language and I’ve just successfully passed the A2 level in French. I feel happy to be able to pass to the next level, B1 level, because it means I'm improving my French language skills.


I got 9,5 in the listening skill which is very good. I mean, it's amazing! I think, I got it because I’ve done a lot of listening exercises. Almost five listening exercises a week since I started the course. They are online clicking on apprendre.tv5monde.com. Besides, I’ve heard the France Info radio on live from time to time. While I’m working, while I'm taking a shower or while I’m in the gym, I can listen the radio in French language. All of this has been enough to have a good marks in the listening skill.

The speaking skill is the most difficult skill from my point of view because students have to speak about a topic for a few minutes but you don’t have a lot of time to think about it. Therefore, students have to improvise and devise what they want to say. I got 8 in the speaking skill which is also very good. I’ve been speaking alone in my house with Vaughan Bonjour! and I’ve been also speaking with schoolmates in French language which has allowed me to improve my speaking skill. In addition, I think the Video Selfie in French language, my talk about the mathematician, physicist and French philosopher Sophie Germain, and the talk about La région Île de France have helped me to get this good marks.

I think the reading skill is the easier skill because although you don’t understand the whole document, you can know what you are reading by the context. I really love reading. Therefore, I’ve read three books in French language in this course. I still read books for beginners which means I read books with basic vocabulary and easy grammatical sentences but I hope getting more and more vocabulary and complex grammatical sentences in the next years for reading more interesting books.

Finally, I have to admit that the writing skill is not easy. Although I usually write in this blog, writing is not easy even for me because you have to think about what you are going to write as well as you have to think about how you are going to organise the text. How many paragraph you are going to write, what verbal tense you are going to use for the story, the letter, mail or whatever. Many thing you have to think and decide before writing the first letter. However, I got 9 in writing skill which is also a very good mark.

To sum up, I’ve been studying for the whole course and I've finished with very good marks. Thanks for the teacher, thanks for the schoolmates and thanks for my supporters.

Regards my friends and keep studying!!

9 de julio de 2018

F5 ASM - Denial of Service (DoS) Mitigation



From time to time, I talk about techniques and methods of DoS attacks with workmates and customers, and when we speak about it, most of them always think about DDoS Attacks where a botnet flood the targeted server with excessive bandwidth consumption. However, we shouldn’t forget that an attacker can also make services unavailable with just requesting heavy URLs. Therefore, it’s not necessary to have lots of resources, neither a botnet, to make services unavailable because it can also be accomplish with a simple DoS Attack.

Mainly, there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly, volumetric attacks, like UDP Flood Attacks or Amplification DDoS Attacks, which are the most known DoS attacks. Secondly, computational attacks, like SYN Flood Attacks, are less known than volumetric attacks where attackers want to exhaust resources such as firewall session tables. Finally, application attacks, like HTTP Flood Attacks, are easy to execute with DoS attack tools such as LOIC or slowloris. However, these last attacks are little known by companies and most of them even don’t know how to mitigate it nor which mitigation tools are on the market.

DoS Attacks Categories

When we are mitigating DoS attacks, it’s important to have a good classification between malicious traffic and legitimate traffic because the mitigation process could also block legitimate users when DoS mitigation tools are not well configured. In addition, DoS attacks are increasingly sophisticated and targeted which are delivered in SSL traffic as well against servers and applications. As a result, behavioural analytics, ultra-fast automated detection and comprehensive protection are required for a good mitigation strategy.

F5 BIG-IP WAF is also able to detect and block DoS attacks. We can watch in the next video how I configure a DoS profile to detect and block attacks based in TPS (Transactions Per Second). When the bot iMacros requests two transactions per second, the DoS profile blocks requests and the DoS attack is stopped. In addition, the video shows how to block DoS attacks with a CAPTCHA challenge to find out who is behind the web server whether a bot or a human being. Last but not least, DoS reporting are very important to know what’s going on and what happened in the services.

  
Regards my friends and don’t forget to protect your services.

2 de julio de 2018

F5 BIG-IP ASM Certified Technology Specialist



As you will have realised, I’m writing a lot about load balancers lately. In fact, I’ve written 10 posts about F5 BIG-IP since April. This is due to the fact that my F5 Certified BIG-IP Administrator (F5-CA) certification is going to expire soon. Therefore, I was thinking how to renovate this certification and what was the best option for my job, my skills and my knowledge. Finally, I chose to study for the 303 – BIG-IP ASM Specialist v2 exam for the recertification process because I had already worked with Web Application Firewalls.

Two years ago, I studied for 101 - Application Delivery Fundamentals and 201 - TMOS Administration. I passed the exams with an score of 86 and 73 respectively. This is the entry level certification for F5 BIG-IP. Once I got the F5-CA certification, I could register for F5 Certified Technology Specialists (F5-CTS) certification where I could choose between LTM, DNS, ASM or APM. However, if I wanted to pass the F5 Certified Solution Expert (F5-CSE), first, I would have to achieve all CTS levels.

F5 Certification Program

I think the exam 303 – ASM Specialist is the best option for my recertification because I’ve already worked with Web Application Firewalls. In fact, I’ve had to talk about ASM module and show its features in marketing campaigns as well as I’ve delivered training courses and deployed demo and appliances for production environments. In addition, I’ve also worked with other manufactures such as AWS WAF or Fortinet FortiWeb. For this reason, my knowledge about WAF is not only limited to F5.

What have I been studying for the exam? First, I took the Getting Started with BIG-IP ASM course from F5 University. Next, I’ve had the lucky of taking a training course in ASM and I’ve done all the labs twice. I’ve also read the book I got from the training course as well as I read the BIG-IP ASM Operation Guide. Finally, I’ve read carefully the OWASP Top 10 to know and understand the most critical security risks to web application.

Although BIG-IP v13.1 has already been released, BIG-IP ASM exam is still from the old version 12.1, which is nice for people who has already worked with ASM but it’s undesirable for newbie who are learning for the first time about ASM because there has been some changes in the new version and, probably, they are going to deploy, configure and manage the last version, v13.1, in the future. It’s also important to highlight that the passing score is 57%, which is the lower passing score to get a F5-CTS. This is great!!

Exam descriptions and study materials
 
If you want to take the plunge to this certification, I would recommend you to read the next posts:
Regards my friends and keep studying!!

25 de junio de 2018

F5 BIG-IP ASM - Brute Force and Web Scraping



Today, I want to write about two mitigation mechanisms that, I think, they are not used enough in enterprises. First, brute force attacks can be stopped easily with the free tool fail2ban but we can also use WAF appliances for blocking this kind of attacks. On the other hand, web scraping attacks can also be stopped easily with WAF appliances but most IT engineers don’t know it and, therefore, their web sites are not protected from competitors. These are two attacks that we can mitigate with F5 BIG-IP ASM.

Brute force attacks are attempts to discover credentials to break into services such as web services, file services or mail services. For example, malicious users and bots may be interested to get into secure areas and, as a result, they’ll need to discover legitimate credentials. How does F5 ASM protect web sites against brute force attacks? We have to define a login page, for instance user_login.php, and, thereafter, we have to apply the brute force protection to the security policy to know what to do when a brute force attack is detected. We can watch the configuration in the next video:


Web scraping attacks are sophisticated attacks whose aim is to obtain large amounts of data from web sites to extract proprietary data directly out of HTML such as price tracking, directory listings to get leads and marketing information, searching images, financial information, etc. How does F5 ASM protect companies against web scraping attacks? We have to enable Bot Detection and, thereafter, we have to configure interval and period times to detect bots. For example, if a client loads 30 different pages in 30 seconds, it will be unusual and it will be defined as a bot. We can watch the configuration in the next video:


However, there are some times that we may also want to deny access by countries because we are detecting too much attacks which come from a specific origin country. Carefully, if we don’t have customers or potential customers in such country, we’ll be able to deny traffic from the “malicious” country. In addition, we’ll be also able to deny traffic from Anonymous Proxies. How does F5 ASM protect web applications by geolocation? It is easy. We’ll define disallowed location and allowed location into the security policy. That’s all! We can watch the configuration in the next video:


Regards my friends and drop me a line with the first thing you are thinking.

18 de junio de 2018

WAF - Login Enforcement & Session Tracking



Associates usernames and sessions with application violations provide in-depth blocking and visibility, which is useful for attack understanding and forensics. In addition, if we are able to identify devices for every visitor across multiple IPs and sessions, we’ll increase precision in blocking malicious activities. Therefore, this kind of techniques will help us to identify and block suspicious clients and headless browsers as well as mitigate client side malware.

The first video this week is about Login URL Enforcement which is a mechanism for preventing Forceful Browsing to restricted parts of the web application. By defining a required URL (i.e. login page), the user must pass through it in order to access a certain target URL. This mechanism uses ASM cookies, which are session cookies, to keep information about the prerequisite URL that was accessed successfully. We’ll watch how to create a Login Page and how to configure Login Enforcement in the next video.


The second video is about Session Awareness and how to configure violation detection actions. In fact, we’ll configure ASM to log all requests from the session when the threshold is triggered. However, session awareness can also mitigate Session Hijacking Attacks which occurs when an attacker is able to steal session information from an authenticated user. Session hijacking prevention is based on fingerprinting where client identification is based on screen resolution, time and time zone data, browser attributes such as platform, version, plugins installed, etc. Therefore, we’ll watch in the next video how to enable session awareness and how to log all requests once a violation is detected.


Regards my friends and drop me a line if you configure Login Enforcement and Session Tracking in your security policy.

11 de junio de 2018

F5 BIG-IP ASM - Parameter Tampering Attacks



Cookie Tampering Attacks, HTTP Header Tampering Attacks or Parameter Tampering Attacks can’t be blocked from traditional firewalls. Instead, we should deploy a Web Application Firewall (WAF) where we can configure a Positive Security Policy that allows file types, URLs and parameters. If we configure a security policy, which is Learning with Add All Entities, we’ll have granular protection of entities and much more security protection but maintenance efforts will be high. It’s up to you what level of protection you need.

I would like to show how we can configure a policy for Protecting Static Parameters. It’s important to highlight that security engineers will have to work along with developers to understand web application logic because it will be necessary to know the amount of parameters, the type of parameters and their values as well. We can watch in the next video that the “payment” parameter is static and it has four static values, then, when the “payment” value is not one of the values configured, the request is blocked.


I would also like to show how we can configure a policy for Protecting Dynamic Parameters. It’s similar than protecting static parameters but dynamic means we don’t know the value. Therefore, we have to define dynamic parameter extraction properties which depend on how the web application handles parameter name/value pairs. For instance, we can configure extractions searching in links, searching in response bodies, searching entire forms, searching within forms or even searching in XML files. We can watch in the next video that the “nick” parameter is dynamic and it is extracted from “index.php” searching in the entire form.


Regards my friends and drop me a line if you want to configure advanced parameter handling in your security policy.

4 de junio de 2018

La région Île de France



Bonsoir. Ici est ma présentation. Je vais parler de les routes historiques et touristiques dans la région Île de France. J’ai choisi ce sujet parce que j’aime beaucoup faire de la randonne. J’adore promenade dans les forets et j’adore aussi visiter jardins et châteaux.

Donc, on va voir quatre routes: la route historique des maisons d’écrivains, la route Normandie-Vexin, la route François 1er , et le parcours des impressionnistes. Ici, on peut voir la région Île de France dans le nord de la France.

La route historique des maisons d'écrivain

La premier route s’appelle la route historique des maisons d’écrivain où treize célèbre écrivains ont écrit des livres. On verra des grandes maisons et des agréable châteaux aussi. La route commence à Paris et finit à Rouen. On va faire de la randonnée à côté de la rivière de Seine où il y a des beaux paysages qui sont très calme.

Par exemple. Elsa a habité ici avec son mari, qui s’appelle Aragon. Elsa est une femme d’origine russe, et de parents juifs, qui a écrit plus de 25 livres. Maurice a habité ici, dans ce château où il a écrit des poèmes romantiques.

La route Normandie-Vexin

La deuxième route s’appelle La route Normandie-Vexin qui est similaire à la route historique de maisons d’écrivains parce qu’elle commence à Paris et finit à Rouen. La rivière de Seine est aussi à côté de la route. C’est une route très longue d’environ 200km où on peux visiter des jardins et des châteaux du XVème siècle.

Par exemple. Dans la route Normandie-Vexin, on peux voir les jardins et la maison de Claude Monet où il peignait des peintures. Ici, il y a un pont dans son jardin avec beaucoup des fleurs. Dans la photo à droite. On peux voir un château du XVème siècle. Il s’appelle le château de Gaillon qu’il a utilisé comme résidence d’été et après comme prison. Aujourd’hui, il est utilisé comme monument historique.

La route François 1er

La troisième route s’appelle François 1er où le roi François 1er avait des résidences à côte de Paris et dans des réserve faunique où il a habité près de Paris et très calme dans le foret.

Par exemple. Au sud-est, le château royal de Fontainebleau, qui a été la résidence favorite de François Ier. Au sud-ouest, le château de Rambouillet, où François Ier est mort, et aujourd’hui résidence d’été des Présidents de la République.

Le parcours des Impressionnnistes
 
La dernière route est le parcours des impressionnistes où on peux voir des peintures à côté de Paris et dans l’Île de la Jatte.

Par exemple. Monet a peint à la Grande Jatte et Van Gogh a peint La Seine avec le pont de la Grande Jatte. Ces peintures se trouve dans le musée mais on peux voir aussi une réplique dans l’île de la Jatte.

 
Merci Beaucoup!!

28 de mayo de 2018

F5 ASM – Cookie and HTTP Header Tampering



Many web applications set cookies for user tracking, shopping cart functionality, and other reasons related to the user experience. These cookies have to be secured because if they are not properly protected, a malicious hacker could steal or modify cookies for unauthorized access or unrequested purchases. Today, Web Application Firewalls (WAF) help us to secure cookies adding cookie attributes such as the secure attribute, the HttpOnly attribute, Domain and Path attributes, Expire and Max-Age attributes, etc as well as WAFs are also able to sign cookies which are useful to protect web applications from attacks like Cookie Tampering or HTTP Request Header Tampering.

Next, we can watch a video where there is a vulnerable web application to Cookie Tampering. First, I have modified the cookie and sent to the web application successfully. Afterwards, I have protected the web application from Cookie Tampering attacks with F5 BIG-IP ASM. Finally, cookie tampering attacks are unsuccessfully because ASM blocks modified cookies which has been enforced and signed by the WAF security policy. Therefore, it will be a good idea to know what cookies web applications use to enforce those which should not be modified on the client side.


Next, there is another video where the web application is also vulnerable to HTTP Request Header Tampering. First, I have modified the referer HTTP Header to take advantage of the ShellShock vulnerability, which is not blocked. Afterwards, I have enforced the attacks signatures “bash Shellshock execution attempt” and “/bin execution attempt”. Finally, HTTP Request Header Tampering attacks are unsuccessfully because ASM detects malicious strings, which are used to exploit the Shellshock vulnerability, into the referer HTTP Header. Therefore, it will be a good idea to enforce attack signatures in the WAF security policy.


To sum up, we can use a WAF to protect web applications from Cookie Tampering and HTTP Request Tampering which are attacks difficult to block by a traditional network firewall. In this post, we have seen that a manually security policy with Selective Learning for Cookies and Attack Signatures enforced in the WAF security policy is the best configuration to block sophisticated attacks, which want to take advantage of Cookies and Other HTTP Headers to get into web applications.

Regards my friends. Keep reading and keep studying!!

21 de mayo de 2018

F5 BIG-IP ASM – Positive Security Policy



I wrote about Policy Tuning and Violations last week where I created a Negative Security Policy, named Rapid Deployment Policy (RDP), to protect web applications from attacks. This kind of policies are useful to protect web applications from known attacks. However, I want to write about Positive Security Policy this week where I’m going to create a security policy manually to customize and accept what file types, URLs and parameters will be used by my web application. This kind of policies are more difficult and complex to configure than Negative Security Policies but they are able to defeat sophisticated and complex threats better than Negative Security Policies.

When we configure a security policy manually, we can choose Never (Wildcard Only), Selective and Add All Entities for file types, URLs and parameters. For instance, if we choose Add All Entities, we’ll have a comprehensive whitelist policy that includes ALL of the website entities. Add All Entities will form a large set of security policy entities, which will produce a granular object-level configuration and high security level. However, it may take more time to maintain such a policy.


On the other hand, the Never (Wildcard Only) option is the most easy security policy to manage because many application objects will share the same security settings driven from the global or wildcard level. In addition, when false positives occur the system will suggest to relax the settings of the wildcard entity. Therefore, it may result in overall relaxed application security. From my point of view, this is a good option for URLs entities because most applications usually have lots of URLs which are difficult to manage from a security policy.


The third learning option is Selective which offers intermediate protection between Never (Wildcard Only) and Add All Entities. This is an option that when false positives occur, the system will add/suggest to add an explicit entity with relaxed settings that avoid the false positive. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes. However, if some the entities need special handling, the policy can be expanded to include exceptional explicit entities just for those outliers. Therefore, this option serves as a good balance between security, policy size, and ease of maintenance.


To sum up, if we want a comprehensive security policy to defeat sophisticated and complex threats, we’ll have to configure a positive security policy, along with a negative security policy as well, with the Add All Entities, Selective and Never (Wildcard Only) option for file types, URLs and parameters. However, we always have to take into account that the Add All Entities mode is time-consuming but offers high granular protection of entities while the Never (Wildcard Only) mode is easy to manage but offers low protection of entities.


Regards my friends. Keep reading and keep studying!!
Related Posts Plugin for WordPress, Blogger...

Entradas populares