Happy New Year

This year, I want to tell you “Happy New Year” in a different way. In fact, I recorded a video to tell you all the things I’ve been doing in 2018. It’s difficult to say all the things in a video of 2 minutes but I’ve highlighted, I think, the most important things.

I was working with AWS at the beginning of the year where I deployed Amazon CloudFront, AWS Shield and AWS WAF. I also took several webinars about FortiSIEM and the new version of FortiOS 6.0 which, I think, are interesting for deploying this new year. The second prize I got for the CyberSecurity Challenge in Badajoz is also to remember.

I’ve also been working a lot with F5 Networks. I’ve installed, configured and supported the LTM, ASM and DNS modules. In fact, I’ve uploaded videos to my YouTube channel about how to protect services against Web Scraping and Brute Force attacks, DDoS and DoS, Cookie and HTTP Header Tampering, Parameter Tampering Attacks, Bot Protection, etc. Finally, I ended up for getting the F5 BIG-IP ASM Certified Technology Specialist.

I like languages. Therefore, I keep learning French language. I passed the A2 level in French language and this is my third year learning French. As you can see, I keep writing in English language in this blog and I’m used to reading and watch films in English language.

I’ve been reading books such as Thinking, Fast and Slow by Daniel Kahneman, Factfulness by Hans Rosling and The Art of Intrusion by Kevin Mitnick. I even read the National Cyber Strategy of the U.S. of America, the DoD Cyber Strategy of the U.S. of America and the review of the Cyberdefense Strategy of France which I read in French language.

To finish this year, I’ve been teaching Security on Networks and Systems in Mérida. What’s more, I’m going to teach about Ethical Hacking next year. I hope to see you!

 

That’s all! Keep learning! Keep studying!

Happy New Year!!

F5 BIG-IP ASM - Bot Protection

I’ve already written several posts about load balancers in this blog but, this year, I’ve been also writing about the Web Application Firewall (WAF) of F5 Networks because I’ve had to deploy, configure and support these devices during 2018. This is the main reason I passed the exam for BIG-IP ASM Specialist this summer and I’ve been recording videos about L7 DDoS Mitigation, CSRF Protection or XXE Protection. Today, I want to continue recording this kind of videos because, I think, they are useful for learning and testing attacks and defenses.

This post is about how to configure Bot Protection in F5 BIG-IP ASM because there are increasingly bots out there (Internet) and we should take into account the bots for Layer 7 DoS Mitigation and Web Scraping Mitigation. However, we have to know what bots we want to allow and what bots we want to block. For instance, it’s interesting to allow the Googlebot, which is used by the Google search engine, but it’s also interesting to block all DoS tools such as Apache Bench or slowhttptest, which can be malicious for the web page we are protecting with the WAF.

ab -c 10 -n 10 -r -H "User-Agent: Agilitybot" http://url_to_attack/

Apache Bench

You can watch in the next video how to configure Bot Protection in F5 BIG-IP ASM:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - XXE Protection

I wrote about OWASP Top 10 last year where I described the new categories added in 2017. One of them is Insecure Deserialization, another category is Insufficient Logging and Monitoring, which can be got with Security Information and Event Management (SIEM) systems, and the last category added to OWASP is XML External Entity (XXE), which is the category I'm going to write about it today. These categories and the OWASP project were not into the University curriculum when I was studying. I think, it’s a pity because the OWASP project should be taken into account at University as best practices for secure software development.

XXE attack is an injection attack where the attacker inserts a malicious XML code to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks. For instance, we can insert an XML code to list the root directory of the file system or know the server’s hostname. Actually, this issue is not easy to detect by manual testers but SAST and DAST tools can discover and exploit an XXE vulnerability easily. Therefore, if you are working with XML and Web Services, you should also take into account XXE attacks.

XML External Entity (XXE) Attack

 

If you want to know how to test and mitigate a XXE attack, see the next video:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - CSRF Protection

I think, the best way to learn about hacking and security is testing attacks and mitigating them. This is the methodology I follow in the Security courses on Networks and Systems I’m teaching these weeks. In addition, I like testing the laboratories before teaching to students because there are lots of kind of attacks and I think the best way to learn about how to block them is testing, testing and testing. Today, I’m going to write about how to exploit a CSRF vulnerability and how to mitigate it with a Web Application Firewall (WAF).

If you really want to learn about hacking and security, firstly, you have to deploy a laboratory with lots of technologies, such as IDS, HIDS, WIDS, network firewalls, WAFs, SIEMs; vulnerable servers like WebGoat; and hacking tools such as those which come with the Kali Linux operating system. Secondly, you must have lots of time to read and test because most the time you’ll have to learn by yourself. Finally, you should really love security. Today, I’ve used a Kali Linux with WebGoat as vulnerable server and a F5 BIG-IP ASM as WAF.

WebGoat

The Proof of Concept (PoC) that I have been testing today is a CSRF attack which is used when a malicious user wants to execute unauthorized commands from a user that the web application trusts. For instance, firstly, the victim has authenticated into the target website, such as a bank account website or a forum; secondly, the attacker sends a malicious link to fool victim to click; finally, if the victim clicks the malicious link, unauthorized commands are executed, such as transfers in the bank account or replies in the forum, which have happened underground. It’s important to highlight that XSS attacks exploit the trust a user has for a particular site while CSRF attacks exploit the trust a site has in a user’s browser.

CSRF Attack

 

If you want to know how to test and mitigate a CSRF attack, see the next video:

Regards my friend and remember, keep studying!!

F5 BIG-IP ASM - L7 DDoS Mitigation

This summer I was writing about F5 BIG-IP ASM. In fact, I made several videos where we can watch how we can configure the Web Application Firewall (WAF). For instance, I recorded videos about Session Based Brute Force Mitigation, Web Scraping Mitigation or Cookie Tampering. However, this week, I’ve made a new video about L7 DDoS Mitigation, which is useful for blocking DDoS attacks, but this video is different than Layer 7 DoS Mitigation due to the fact that this video takes into account that lots of computers can be behind the same IP address. Therefore, it’s able to block PCs regardless the IP address.

BIG-IP ASM has three mitigation methods to use on the attacking IP’s. The first mitigation method is Client Side Integrity Defense where PCs has a JavaScript challenge which should be resolved. If it’s not a bot, the browser will be able to resolve the challenge, and the F5 will considerate the PCs as legitimate. However, if the PCs won’t be able to resolve the challenge, requests will be blocked. The second mitigation method is a CAPTCHA challenge, where the user has to resolve the CAPTCHA challenge to access the website. The last mitigation method is Request Blocking where requests are blocked when a threshold is exceed.

Client Side Integrity Defense - Flow

The Client Side Integrity Defense method is useful to know if requests come from users or machines. However, once the DoS L7 attack starts, PCs have to resolve the JavaScript challenge, and this is a little bit computational demanding for PCs. You can notice this in the video. In addition, these mitigation methods can be configured with additional features such as Recording Traffic for automatic recording traffic during DoS attacks, or Trigger iRule for managing DoS events in a customized manner.

JavaScript Challenge

 

If you want to know what I’m writing about, see the next video:

Regards my friend and remember, keep studying!!