F5 Customer Demo

ASM – Blocking Cross-Site Scripting Attacks

Document version 13.0.A
Written for: TMOS® Architecture v13.0

Estimated Completion Time: 15 minutes

The purpose of this demo is to show how to create an ASM security policy that will protect a web application
against cross-site scripting attacks. You’ll start by showing several cross-site scripting attacks on a vulnerable
web site. You’ll then create a security policy using the Rapid Deployment policy template. You’ll then show the
same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM logs to view the attack
signatures that were detected by ASM.

F5 Worldwide Field Enablement Last Updated: 2/12/2018

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
 ASM Demo – Blocking Cross-Site Scripting Attacks

BEFORE THE DEMO – Access the Ravello Environment

Access the Ravello environment for the WWFE – ASM – v13.0 blueprint.

 Access https://ravellosystems.com and log in using the a492818 identity domain.

 Go to Library > Blueprints and search for WWFE - ASM.
 Select the most recent WWFE - ASM - v13 blueprint.
 Click Create Application.
 Append your name to the end of the application Name, and then click Create.
 Click Publish.
 Select the Performance tab, then select the best Location, select how long to run the application, and
then click Publish.
 Once the application is published, copy the IP address of the Windows 7 External VM, and then use RDP
to access the IP address.
 Log into the Windows workstation as external_user / P@ssw0rd!
 If necessary, update the Windows time:
o Select the clock and click Change date and time settings…
o Select the Internet Time tab, and then click Change settings…
o Using time.windows.com click Update now, and then click OK twice.
 Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system.

→NOTE: This demo uses the preconfigured vulnerabilities_security_policy BIG-IP object.

Demo Task 1 – Attack a Vulnerable Web Site

Use a web browser to access the dvwa_virtual and attempt several cross-site scripting attacks.

 Open an InPrivate Browsing window (IE) and click the DVWA bookmark.

 Attempt to log in using the following:

Username: '';!--"<BOBUSER>=&{()}
Password: password
Although the login failed, we weren’t blocked, meaning the web site is vulnerable to cross-site
scripting.
 Log in as hacker / hackyou.

WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 3
 ASM Demo – Blocking Cross-Site Scripting Attacks
 Click XSS reflected, then copy and paste the following into the field and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>
We’re redirected to a different web site.
 Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
Using cross-site scripting, a hacker could add anything that JavaScript can do into the field.
 Create another entry named iFrame, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The hacker used an iframe to display a different web site on this web page. All users will see this page
when they access this comments page.
 Create another guestbook entry named Encoding, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%6
6%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%
67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b
%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%6
5%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

The contents of this attack are encoded, designed to bypass security measures. Cross-site scripting is
a powerful exploit because a hacker can insert any form of script code into the database.
 Click Setup, then click Create / Reset Database, and then click Logout.

Demo Task 2 – Create a Security Policy

Create a security policy for dvwa_virtual.

 In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
 Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
 Select the Advanced options.

 Use the following information for the new policy, and then click Create Policy.
Policy Name xss_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Enforcement Mode Blocking
Signature Staging Disabled

WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 4
 ASM Demo – Blocking Cross-Site Scripting Attacks

Demo Task 3 – Re-Attempt to Attack the DVWA Web Site

We will re-access the DVWA web site and try the same cross-site scripting attacks that we performed a few
moments ago.

 In the DVWA page, attempt to log in using the following:

Username: '';!--"<BOBUSER>=&{()}
Password: password
The malicious request is blocked by the ASM security policy.
 Click the DVWA bookmark, then log in as hacker / hackyou, then click XSS reflected, then copy and paste
the following into the field and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>

 Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

 Click the DVWA bookmark, then click XSS stored, then create an entry named iFrame, then copy and
paste the following Message, and then click Sign Guestbook.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>

 Click the DVWA bookmark, then click XSS stored, then create a guestbook entry named Encoding, then
copy and paste the following Message, and then click Sign Guestbook.
%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%6
9%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%
65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68
%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2
f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

From the very easy to configure security policy, all the web application user input fields are now
protected against cross-site scripting attacks.

Demo Task 4 – View the ASM Event Log

View the ASM event log to identify why the attacks were blocked.

 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Note the number of blocked entries.
 Select the /login.php log entry.
 Click Attack signature detected.

We can view the different attack signatures that were detected, the actual parameter that was
attacked (username), and the value that was input by the malicious user.
 Examine the attack type.
This was identified as a Cross Site Scripting (XSS) attack.
WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 5
 ASM Demo – Blocking Cross-Site Scripting Attacks
 Click on the triangle icon after Cross Site Scripting (XSS).

ASM provide a description of the attack type.

 Select the /vulnerabilities/xss_r/ and the first two /vulnerabilities/xss_s/ log entries, and then view the
different attack signatures that were detected.
 Select the last /vulnerabilities/xss_s/ log entry, and then examine the Decoded Request tab.
ASM was able to decode the request and then identify that there were detected attack signatures
within the request.

That concludes this demonstration on using BIG-IP ASM to block cross-site scripting attacks.

WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 6