Application dynamic parameters are specially generated by web applications primarily for security purposes, to prevent vulnerabilities such as SQL injection, XSS, and CSRF attacks. F5 AWAF has robust capabilities to protect web applications against tampering with these dynamic parameters, ensuring security of your web applications. In this section, we will demonstrate how F5 AWAF effectively mitigates the risks associated with dynamic parameter tampering.

Table of Contents

Dynamic Parameter Tampering and Protection

Application Dynamic Parameter demonstartion

To better understand the concept of dynamic parameters in web applications, let’s look at a real example in the DVWA Web Application.

When you navigate to the login page in DVWA, a user token is dynamically generated for each session by the web application. This user token helps protect the application against CSRF and other related vulnerabilities.

I will open the login page in two different browser tabs and then inspect the content of the page to find the user token. As you can see, a unique user token is generated dynamically for each session. This dynamic parameter is what we are going to demonstrate how to protect against tampering with F5 AWAF in this section.

user tocken as a dynamic parameter in DVWA web application
user tocken as a dynamic parameter in DVWA web application

prepare Security Policy

To protect against dynamic parameter tampering, we will configure a security policy using a comprehensive or any other general security templates. We will set the enforcement mode to “blocking” to ensure that tampering attempts are blocked. Additionally, we will change the learning mode to “manual” as automatic learning will be covered in a dedicated lesson later.

create a security policy based on comprehensive security template and assign it to DVWA virtual server
create a security policy based on comprehensive security template and assign it to DVWA virtual server

Then we go to the section learning and blocking setting, where almost all security components are configured.

In the “Parameters” section, we change the learning mode to “Always” so that all parameters are learned independently. We also enable “Learn”, “Alarm”, and “Block” for all parameter violations, specifically “Illegal Dynamic Parameter Value” , which we demonstrate in this section.

change parameter learning mode to always and enable illegal dyanmic parameter lerning and blocking and alarm
change parameter learning mode to always and enable illegal dyanmic parameter lerning and blocking and alarm

Next, we will log in to DVWA so that F5 AWAF can learn the new parameters transferred through this page.

login to DVWA web application
login to DVWA web application

Now, if you check traffic learning in the section “Security > Application Security > Policy Building > Traffic Learning” and filter to show only learned parameters, you will find the “user_token” parameter listed among the learning suggestions. We will accept and enforce this parameter as a legitimate parameter to the list of web application parameters.

user token parameter is learned and we will accept and enforce it as a legal parameter
user token parameter is learned and we will accept and enforce it as a legal parameter

You can review the newly learned and enforced parameter in the section ‘Security > Application Security > Parameters > Parameters List‘. By default, the content value type is not considered unimportant and will be ignored.

by default user tocken parameter value type is ignored
by default user tocken parameter value type is ignored

When changing the content value type from ‘ignore value‘ to ‘Dynamic content value‘, you will be prompted to configure an extraction property. This step assists F5 AWAF to know where this traffic should be monitored, enhancing its ability to protect against tampering.

we change user token parameter as a dynamic content value since it is a dynamic parameter
we change user token parameter as a dynamic content value since it is a dynamic parameter

I will specify the URL with the protocol ‘HTTP‘ and path ‘/DVWA/login.php‘ as the extraction method to locate this parameter.

configure user tocken extraction property
configure user tocken extraction property

demonstrate Dynamic Parameter Tampering

Now, I will open the DVWA login page and proceed to enable the proxy with interception for the domain ‘f5demo.com‘. Detailed instructions for this process are discussed in lessons ‘5. F5 AWAF Lab Preparation Part 4 – mitmproxy Configuration as Web Debugging and Interception Demonstration‘ and ‘15. F5 AWAF Cookie Tampering Protection‘, so I won’t repeat them here.

enable mitmproxy for the application and then enable interception
enable mitmproxy for the application and then enable interception

Afterward, we attempt to log in using the username ‘admin’. However, the page does not load because the traffic is intercepted by mitmproxy.

In mitmproxy, we modify the ‘user_token‘ header field in the HTTP POST request by adding or appending something to it, and then we resume the traffic.

login to DVWA and intercept and change the content of user token
login to DVWA and intercept and change the content of user token
manipulate the content of user token dynamic parameter
manipulate the content of user token dynamic parameter

Now we observe that the traffic is blocked by F5 AWAF. Checking the event log under ‘Security > Event Logs > Application::Requests‘, you’ll find that the traffic is blocked due to a ‘illegal dynamic parameter value‘ violation, as expected.

traffic to web applicationis blocked because of illegal dynamic parameter value
traffic to web applicationis blocked because of illegal dynamic parameter value

Therefore, we have successfully protected against application dynamic parameter tampering using F5 AWAF.

Back to: F5 BIG-IP AWAF (formerly ASM) > F5 AWAF Security Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment