F5 Customer Demo

ASM – Blocking Cross-Site Scripting Attacks

Document version 13.0.A
Written for: TMOS® Architecture v13.0
Virtual images:
BIGIP_ASM_v13.0
LAMP_6
Windows_7_External_v8y

The purpose of this demo is to show how to create an ASM security policy that will protect a web application
against cross-site scripting attacks. You’ll start by showing several cross-site scripting attacks on a vulnerable
web site. You’ll then create a security policy using the Rapid Deployment policy template. You’ll then show the
same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM logs to view the attack
signatures that were detected by ASM.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 2/26/2018

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 2 – Delivering the Demo to a Customer

Part 2 – Delivering the Demo to a Customer

This demo does not include a “Part 1” setup; you can begin with the clean_install_BIGIP_ASM_v13.0.ucs
archive file.

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External

• Required archive file: clean_install_BIGIP_ASM_v13.0.ucs
• Estimated completion time: 15 minutes

BEFORE THE DEMO – Restore the BIG-IP Configuration

Restore the clean install archive file.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_ASM_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

Demo Task 1 – Attack a Vulnerable Web Site

Use a web browser to access the dvwa_virtual and attempt several cross-site scripting attacks.

 Open an InPrivate Browsing window (IE) and click the DVWA bookmark.

 Attempt to log in using the following:

Username: ";!--"<BOBUSER>=&{()}
Password: password
Although the login failed, we weren’t blocked, meaning the web site is vulnerable to cross-site
scripting.
 Log in as hacker / hackyou.
 Click XSS reflected, then copy and paste the following into the field and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>
We’re redirected to a different web site.

WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 3
 Part 2 – Delivering the Demo to a Customer
 Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
Using cross-site scripting, a hacker could add anything that JavaScript can do into the field.
 Create another entry named iFrame, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
The hacker used an iframe to display a different web site on this web page. All users will see this page
when they access this comments page.
 Create another guestbook entry named Encoding, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%6
6%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%
67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b
%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%6
5%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

The contents of this attack are encoded, designed to bypass security measures. Cross-site scripting is
a powerful exploit because a hacker can insert any form of script code into the database.
 Click Setup, then click Create / Reset Database, and then click Logout.

Demo Task 2 – Create a Security Policy

Create a security policy for dvwa_virtual.

 In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
 Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
 Select the Advanced options.

 Use the following information for the new policy, and then click Create Policy.
Policy Name xss_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Enforcement Mode Blocking
Signature Staging Disabled

WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 4
 Part 2 – Delivering the Demo to a Customer

Demo Task 3 – Re-Attempt to Attack the DVWA Web Site

We will re-access the DVWA web site and try the same cross-site scripting attacks that we performed a few
moments ago.

 In the DVWA page, attempt to log in using the following:

Username: '';!--"<BOBUSER>=&{()}
Password: password
The malicious request is blocked by the ASM security policy.
 Click the DVWA bookmark, then log in as hacker / hackyou, then click XSS reflected, then copy and paste
the following into the field and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>

 Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

 Click the DVWA bookmark, then click XSS stored, then create an entry named iFrame, then copy and
paste the following Message, and then click Sign Guestbook.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

 Click the DVWA bookmark, then click XSS stored, then create a guestbook entry named Encoding, then
copy and paste the following Message, and then click Sign Guestbook.
%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%6
9%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%
65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68
%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2
f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

From the very easy to configure security policy, all the web application user input fields are now
protected against cross-site scripting attacks.

Demo Task 4 – View the ASM Event Log

View the ASM event log to identify why the attacks were blocked.

 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Note the number of blocked entries.
 Select the /login.php log entry.
 Click Attack signature detected.

We can view the different attack signatures that were detected, the actual parameter that was
attacked (username), and the value that was input by the malicious user.
 Examine the attack type.
This was identified as a Cross Site Scripting (XSS) attack.
WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 5
 Part 2 – Delivering the Demo to a Customer
 Click on the triangle icon after Cross Site Scripting (XSS).

ASM provide a description of the attack type.

 Select the /vulnerabilities/xss_r/ and the first two /vulnerabilities/xss_s/ log entries, and then view the
different attack signatures that were detected.
 Select the last /vulnerabilities/xss_s/ log entry, and then examine the Decoded Request tab.
ASM was able to decode the request and then identify that there were detected attack signatures
within the request.

That concludes this demonstration on using BIG-IP ASM to block cross-site scripting attacks.

WWFE vLab Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 6