F5 Customer Demo

ASM – Protecting Against Cookie Modification

Document version 13.0.A
Written for: TMOS® Architecture v13.0
Virtual images:
BIGIP_ASM_v13.0
LAMP_6
Windows_7_External_v8

The purpose of this demo is to show how to an ASM security policy can protect a web application from
malicious cookie modification. You’ll first show how to modify a cookie value using Burp, and then show the
results in the ASM event log. You’ll then enforce the cookie entities and attempt the cookie modification again,
this time getting blocked.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 1/31/2018

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Preparing the Demo Environment

Part 1 – Preparing the Demo Environment

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External
• Estimated completion time: 10 minutes

Task 1 – Create a Security Policy

Create a security policy for dvwa_virtual.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_ASM_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

If you do not have the BIGIP_ASM_v13.0 image or the clean_install_BIGIP_ASM_v13.0.ucs

archive file, complete the vLab Setup – ASM Demos and Exercises.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

→NOTE: This exercise uses a macro that is already created on the Windows_7_External_v8
image. You should download that image before running this demo.

 Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
 Select the Advanced options.

 Use the following information for the new policy, and then click Create Policy.
Policy Name cookies_security_policy
Policy Template Comprehensive
Virtual Server dvwa_virtual
Application Language Unicode (utf-8)
Trusted IP Addresses 10.1.10.0 / 255.255.255.0 (Click Add)

WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 3
 Part 1 – Preparing the Demo Environment

Task 2 – Use iMacros for Firefox to Generate Traffic for Building a Security
Policy
Use iMacros for Firefox to run a macro that will generate valid user traffic for building a security policy.

 Use Firefox to open a New private window.

 Click the iMacros button, and in the iMacros pane select cookies build.iim, and then click Play (Loop).

This macro simulates several legal requests by a user.

 Once the macro has completed close Firefox.
 In the Configuration Utility, open the Application Security > Headers > Cookies List page.
 Ensure you have two cookies: JSSESSIONID and security, and that they are both in staging.
 Open the Application Security > Policy Building > Learning and Blocking Settings page.
 From the Learning Mode list select Disabled and then OK, then click Save, and then click Apply Policy
and then OK.
 Create an archive file named demo_asm_cookies_v13.0.

WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 4
 Part 2 – Delivering the Demo to a Customer

Part 2 – Delivering the Demo to a Customer

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External
• Required archive file: demo_asm_cookies_v13.0.ucs
• Estimated completion time: 10 minutes

BEFORE THE DEMO – Restore the BIG-IP Configuration

Restore the archive file you created in Part 1.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs demo_asm_updating_policies_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
 Open Burp Suite (if prompted, don’t update Burp Suite).
 Click Next, and then click Start Burp.
 Select the Proxy tab.
Note that intercept is on.

 Click Intercept is on (the button should now read Intercept is off).

 Use Firefox to open a New private window, and then click the Firefox options button and select Options.

 Click Advanced, and then click Network.

 For Connection click Settings.
 Select the Manual proxy configuration option, then click OK.

WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 5
 Part 2 – Delivering the Demo to a Customer

Demo Task 1 – Examine the Existing Security Policy Behavior

Examine the settings and behavior of cookies_security_policy.

 In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
 Open the virtual server Security > Policies page.
This web application is already configured with an ASM security policy named
cookies_security_policy. I created this security policy before beginning the demo.
 In Firefox, click the DVWA bookmark, and then log in as gordonb / abc123.
 In Burp Suite click Intercept is off (the button should now read Intercept is on).
 In the DVWA page click Instructions, and then view the Burp Suite window.
You can now view and modify the request in Burp Suite before sending it to the web server.
 Change the security=low entry to security=hack.

 Click Forward until the Instructions page displays.

 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Clear the filter by clicking on the X next to Illegal Requests.

 Select the/instructions.php log entry with a violation rating of 3.

 Click Modified domain cookie(s).

We can see the cookie that was modified and the value that it was modified to. Although this security
policy is in blocking mode, modifying cookies isn’t currently being blocked.

WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 6
 Part 2 – Delivering the Demo to a Customer

Demo Task 2 – Enforcing Cookie Settings

Enforce the cookies for cookies_security_policy, and then view the results.

 Open the Application Security > Headers > Cookies List page.

Notice the two cookies are still in staging. While they are in staging they are not enforced, meaning
that violations against them will not be blocked.
 Select the JSESSIONID and security checkboxes, and then click Enforce and then OK.
 Click Apply Policy and then OK.
 In Burp Suite click Intercept is on (the button should now read Intercept is off).
 In the DVWA page click Home.
 In Burp Suite click Intercept is off (the button should now read Intercept is on).
 In the DVWA page click Setup, and then view the Burp Suite window.
 Change both the JSESSIONID and security cookie values as follows:

 Click Forward.
The page is now blocked.
 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Select the/setup.php log entry, and click Modified domain cookie(s).
Cookie modification is now blocked for these two cookies.

That concludes this demonstration on protecting against cookies modification with BIG-IP ASM.

AFTER THE DEMO – Reset Firefox Settings

 Close Burp Suite.
 In Firefox click the Firefox options button and select Options.
 Click Advanced, and then click Network.
 For Connection click Settings.
 Select the No proxy option, then click OK, and the close the page.

WWFE vLab Guides – Demo: ASM – Protecting Against Cookie Modification; v13.0.A Page | 7