Skip to content

Commit

Permalink
waf25fin1
Browse files Browse the repository at this point in the history
  • Loading branch information
@mburnsf5
mburnsf5 committed Feb 10, 2025
1 parent ba5314f commit d3a6f4b
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 305 deletions.
113 changes: 21 additions & 92 deletions docs/waf2025/module3/lab1.rst
View file
Original file line number Diff line number Diff line change
@@ -1,123 +1,52 @@
Lab 1 – Attempt to Hack the Juice Shop
--------------------------------------

Lab 1 - Find DVGA Attack Types
---------------------------------------
Objective
~~~~~~~~~

- Close the Juice Shop tab or window.
- Restart the Juice Shop application.
- Load the Juice Shop application.
- Attempt the server side XSS hack.
- View the illegal request log entry.
- Attempt the SQL injection hack.
- View the illegal request log entry.
- Compare results of an unauthorized file access attempt.
- Search for log entry using a Support ID.
- View the illegal request log entry.

Task - Close the Juice Shop tab or window
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make sure to close the tab or window that you have the Juice Shop running in to avoid any issues with cached content or metadata.

Task - Restart the Juice Shop Application
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Juice Shop application must be restarted to reset the database. Log onto the Internal LAMP Server by navigating to the Systems column, clicking on the Access dropdown and then clicking on **WEB SHELL**

.. image:: ../images/web_shell_server.png

At the shell prompt, type the following commands to restart the Juice Shop application. The first command will list the running docker containers. Note the STATUS. The second command restarts the Juice Shop docker container (only the first 3 unique charcters of the container ID are required) and the third command will list the running container where you should see the STATUS listed as Up for a few seconds which confirms the application was restarted.

In the web shell run the command ``docker ps``. The output will look like the following:

.. code-block:: none
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0b868b1af95 bkimminich/juice-shop "docker-entrypoint.s…" 4 hours ago Up 2 hours 0.0.0.0:3000->3000/tcp reverent_raman
Run the command ``docker restart b0b``, but make sure to type the **first 3 characters of your Juice Shop container ID**. The output will be the first 3 characters of the container ID:

.. code-block:: none
b0b
Run the command ``docker ps`` to ensure the container was restarted. Your web shell should look very similar to the following:

.. code-block:: none
Familiarize yourself with DVGA and Challenge Solutions

root@ip-10-1-1-5:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0b868b1af95 bkimminich/juice-shop "docker-entrypoint.s…" 4 hours ago Up 2 hours 0.0.0.0:3000->3000/tcp reverent_raman
root@ip-10-1-1-5:~# docker restart b0b
b0b
root@ip-10-1-1-5:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0b868b1af95 bkimminich/juice-shop "docker-entrypoint.s…" 4 hours ago Up 1 second 0.0.0.0:3000->3000/tcp reverent_raman
root@ip-10-1-1-5:~#

Connect to the Linux Client
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Task - Load the Juice Shop application.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. NOTE:: All steps in this lab exercise will be performed from the Linux jump host.

After restarting the Juice Shop application you can go back to the UDF Deployment screen and open the newly started application by clicking on the Access link under the BIG-IP section and then clicking on Juice Shop.
#. On your UDF page, go to your Client component, click the Access drop down menu and choose RDP

.. image:: ../images/udf-juiceshop.png

Task - Try hacking the Juice Shop application again.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. RDP to the Linux Client by choosing the RDP access method from your UDF environment page.

Go back to the Module 1 / Lab 3 page and run through the hacks. They should fail. Click `here <https://clouddocs.f5.com/training/community/waf/html/waf2023/module1/lab2.html>`_ to jump to that page and then click the browser back button to come back to this page to compare your results.
**user: f5student**
**password: f5DEMOs4u!**

Task - Compare results of XSS hacking attempt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. image:: ../images/rdp.png

The attempt to injected the XSS hack via the order parameter should fail and the you should see something similar to this on the page:

.. image:: ../images/mod3lab1-xss.png
Explore DVGA
~~~~~~~~~~~~

The search results will not produce the parameter value on the screen since the request was blocked by the XSS signatures applied.
#. Once logged in, launch Chrome Browser and go to http://dvga.f5appworld.com.

Task - View the Application Request Logs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. Scroll down to “Got Stuck?” section and click “Solutions” link.

Navigate to **Security -> Event Logs -> Application -> Requests** where you should see an illegal request for the URI ``/rest/track-order/``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type. Also, make sure to scroll to the bottom of the Decoded Request section to see the string that was entered in the form.
.. image:: ../images/dvga_stuck.png

.. image:: ../images/event_log_xss.png
3. Select an attack type...in this case select **"Batch Query Attack"**

Task - Compare results of SQL injection hacking attempt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. image:: ../images/challenge_s.png

The attempt to inject the malicious SQL query should fail and the you should see something similar to the following in your browser:
4. Click the green "Show" button.

.. image:: ../images/block_sql_injection.png
.. image:: ../images/batch_query.png

Task - View the Application Request Logs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Navigate to **Security -> Event Logs -> Application -> Requests** where you should see an illegal request for the URI ``/rest/products/search``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type. You can see the query at the top of the Decoded Request section.

.. image:: ../images/log_sql_injection.png
.. NOTE:: Each solution may show a script or just a graphQL payload to use to execute the attack. If it shows a script, you will find a script file matching that attack type in the /graphql directory in the user’s home directory. If the solution shows a GraphQL payload you may choose either the GraphiQL Chrome extension or Burp Suite to execute the attack. After each attack you should review the WAF logs to see the results and which violations triggered. See the “Review Waf Logs” section at the end of Lab 2 for instructions.

Task - Compare results of an unauthorized file access attempt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The attempt to download the file in the ``/encryptionkeys`` directory fails with the following message:

.. image:: ../images/support_id_file_1.png

Task - Search for log entry using a Support ID
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Navigate to **Security -> Event Logs -> Application -> Requests** and then click on the ``Open Filter`` icon (beside Order by Date / Newest) and then enter the support ID shown on the blocked page in the Support ID field at the bottom of the filter window then click the ``Apply Filter`` button:

.. image:: ../images/support_id_1.png

Task - View the Application Request Logs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once the filter is applied you should only see one illegal request for the URI ``/encryptionkeys/premium.key``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type.

.. image:: ../images/log_file_access_1.png
109 changes: 58 additions & 51 deletions docs/waf2025/module3/lab2.rst
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,96 @@
Lab 2 – Use the F5 WAF Tester Tool
----------------------------------
Lab 2 - Execute Attacks and Review Logs
---------------------------------------

Objective
~~~~~~~~~
Execute an attack via a python script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Install the F5 WAF Tester Tool
- Configire the F5 WAF Tester Tool
- Use the F5 WAF Tester Tool

Task - Install the F5 WAF Tester Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. Open Terminal on the Linux jump host

RDP into the Client Jumpbox.
#. cd /graphql

.. image:: ../images/rdp-ubuntu.png
#. python3 <script name>

Open a terminal and browse to the f5student home directory **/home/f5student**
.. image:: ../images/py_term.png

.. image:: ../images/f5student-home.png

Perform an **apt** update to ensure we have the right libraries unstalled
Execute an attack using the GraphiQL Chrome extension
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

``sudo apt update``
#. Copy the graphQL payload from the Solution

Install pip for python3
.. image:: ../images/deep_recur.png

``sudo apt install python3-pip``
2. Open GraphiQL Chrome extension

Confirm the pip version
#. Enter http://dvga.f5appworld.com/graphql into the target field

``pip3 --version``
#. 4. Paste the graphql payload from solution

Now install the **f5-waf-tester**
#. Send the request

``pip install git+https://github.com/aknot242/f5-waf-tester.git``
.. image:: ../images/graphiql.png

.. image:: ../images/f5-waf-tester-installed.png


Task - Configure the F5 WAF Tester Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Execute an attack using the Burp Suite
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While still on the terminal where you installed the F5-WAF-Tester, enter the code below to begin the configuration:
#. Open Burp Suite from the desktop icon

``f5-waf-tester --init``
.. image:: ../images/burp.png

You will be asked a series of questions for the configuration. Enter the following below into the appropiate fields. Any other fields that are propmted, just hit enter to leave blank.

.. code-block:: bash
2. Click “Next” and “Start Burp”.

[BIG-IP] Host []: 10.1.1.4
[BIG-IP] Username []: admin
[BIG-IP] Password []: f5demos4u!
Virtual Server URL []: https://juiceshop.f5agility.com
#. Go to the “InQL” Burp extension tab.

Your Confoguration prompts will look like this:
#. Enter http://dvga.f5appworld.com/graphql in the GraphQL Endpoint field.

.. image:: ../images/f5-waf-tester-config.png

If you need to edit the configuration, re-initialize the tool by running ``f5-waf-tester --init`` again. Then enter your changes.
#. Click "Analyze"

Task - Use the F5 WAF Tester Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. NOTE:: This will run introspection on DVGA and return the entire schema. You should see violations in the WAF logs for this.

Run the tool as follows:
6. You should now see a directory for DVGA in the schema folders below.

::
#. Expand the DVGA folder and the date-specific folder.

f5-waf-tester -r f5_waf_tester_report_1.json
#. Select the request type that best matches the attack payload youa re trying to use.

.. note:: When using this tool at home and many of the tests fail, the signatures may be out of date. Ensure the latest signatures have been installed. The following article provides instructions on how to do that: https://support.f5.com/csp/article/K82512024. This lab does have an up to date signature set installed.
#. In the GraphQL paylod area to the right, right-click and select "Send to Repeater"

.. note:: Also check the configration attributte **URL** of the **f5-waf-tester** tool if most of the tests have failed. It is possible the testing tool is not sending traffic to the right location.
.. image:: /images/inql.png

Quickly check how many tests passed and failed:

::
10. Select the "Repeater" tab

grep true f5_waf_tester_report_1.json | wc -l
grep false f5_waf_tester_report_1.json | wc -l
#. Paste the attack paylod from the SOlution into the Request area.

View the results of the test:
#. Click "Send"

::
#. Review the response.

less f5_waf_tester_report_1.json
.. image:: /images/repeater.png

Continue to tune your WAF policy and check the OWASP Dashboard and then re-run the F5 WAF Tester.


Review WAF Logs
~~~~~~~~~~~~~~~

#. In Chrome on the LInux jump host, go to the F5 Advanced WAF shortcut and Login

**user: admin**

**password: f5demos4u!**

2. Navigate to the WAF Request Logs screen

#. Select the request with your most recent attack

#. Review the request and any GRAPHQL violations that may have triggered.

.. image:: ../images/waf_log.png



**Congratulations! You have just completed Module 4**
8 changes: 4 additions & 4 deletions docs/waf2025/module3/module3.rst
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
Module 3 – Test Your WAF Policy
===============================
Module 3 - Protecting GraphQL Applications with F5 Advanced WAF
===============================================================

This module will guide you through testing the effictiveness of the WAF policy you just built by attempting the XSS and injection hacks performed in Module 1. In addition, the F5 WAF Tester Tool will be leveraged to test the policy and provide a report on its status.
In this module you will be using the “Solutions” provided in the DVGA GraphQL application to send attacks using various tools.

.. toctree::
:maxdepth: 1
:glob:

lab*
lab*
52 changes: 0 additions & 52 deletions docs/waf2025/module4/lab1.rst
View file

This file was deleted.

Loading

0 comments on commit d3a6f4b

Please sign in to comment.