From d3a6f4ba01a5c6c2d993e3eadd94571331816639 Mon Sep 17 00:00:00 2001
From: mburnsf5 <m.burns@f5.com>
Date: Mon, 10 Feb 2025 12:01:39 -0500
Subject: [PATCH] waf25fin1

---
 docs/waf2025/module3/lab1.rst    | 113 ++++++-------------------------
 docs/waf2025/module3/lab2.rst    | 109 +++++++++++++++--------------
 docs/waf2025/module3/module3.rst |   8 +--
 docs/waf2025/module4/lab1.rst    |  52 --------------
 docs/waf2025/module4/lab2.rst    |  96 --------------------------
 docs/waf2025/module4/module4.rst |  10 ---
 6 files changed, 83 insertions(+), 305 deletions(-)
 delete mode 100644 docs/waf2025/module4/lab1.rst
 delete mode 100644 docs/waf2025/module4/lab2.rst
 delete mode 100644 docs/waf2025/module4/module4.rst

diff --git a/docs/waf2025/module3/lab1.rst b/docs/waf2025/module3/lab1.rst
index 21337798..97e54d3b 100644
--- a/docs/waf2025/module3/lab1.rst
+++ b/docs/waf2025/module3/lab1.rst
@@ -1,123 +1,52 @@
-Lab 1 – Attempt to Hack the Juice Shop
---------------------------------------
-
+Lab 1 - Find DVGA Attack Types
+---------------------------------------
 Objective
 ~~~~~~~~~
 
-- Close the Juice Shop tab or window.
-- Restart the Juice Shop application.
-- Load the Juice Shop application.
-- Attempt the server side XSS hack.
-- View the illegal request log entry.
-- Attempt the SQL injection hack.
-- View the illegal request log entry.
-- Compare results of an unauthorized file access attempt.
-- Search for log entry using a Support ID.
-- View the illegal request log entry.
-
-Task - Close the Juice Shop tab or window
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Make sure to close the tab or window that you have the Juice Shop running in to avoid any issues with cached content or metadata.
-
-Task - Restart the Juice Shop Application
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The Juice Shop application must be restarted to reset the database. Log onto the Internal LAMP Server by navigating to the Systems column, clicking on the Access dropdown and then clicking on **WEB SHELL**
-
-.. image:: ../images/web_shell_server.png
-
-At the shell prompt, type the following commands to restart the Juice Shop application. The first command will list the running docker containers. Note the STATUS. The second command restarts the Juice Shop docker container (only the first 3 unique charcters of the container ID are required) and the third command will list the running container where you should see the STATUS listed as Up for a few seconds which confirms the application was restarted.
-
-In the web shell run the command ``docker ps``. The output will look like the following:
-
-.. code-block:: none
-
-    CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
-    b0b868b1af95        bkimminich/juice-shop   "docker-entrypoint.s…"   4 hours ago         Up 2 hours          0.0.0.0:3000->3000/tcp   reverent_raman
-    
-    
-Run the command ``docker restart b0b``, but make sure to type the **first 3 characters of your Juice Shop container ID**. The output will be the first 3 characters of the container ID:
-
-.. code-block:: none
-
-    b0b
-
-
-Run the command ``docker ps`` to ensure the container was restarted. Your web shell should look very similar to the following:
-
-.. code-block:: none
+Familiarize yourself with DVGA and Challenge Solutions
 
-    root@ip-10-1-1-5:~# docker ps
-    CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
-    b0b868b1af95        bkimminich/juice-shop   "docker-entrypoint.s…"   4 hours ago         Up 2 hours          0.0.0.0:3000->3000/tcp   reverent_raman
-    root@ip-10-1-1-5:~# docker restart b0b
-    b0b
-    root@ip-10-1-1-5:~# docker ps
-    CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
-    b0b868b1af95        bkimminich/juice-shop   "docker-entrypoint.s…"   4 hours ago         Up 1 second         0.0.0.0:3000->3000/tcp   reverent_raman
-    root@ip-10-1-1-5:~#
 
+Connect to the Linux Client
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Task - Load the Juice Shop application.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. NOTE:: All steps in this lab exercise will be performed from the Linux jump host.
 
-After restarting the Juice Shop application you can go back to the UDF Deployment screen and open the newly started application by clicking on the Access link under the BIG-IP section and then clicking on Juice Shop.
+#. On your UDF page, go to your Client component, click the Access drop down menu and choose RDP 
 
-.. image:: ../images/udf-juiceshop.png
- 
-Task - Try hacking the Juice Shop application again.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#. RDP to the Linux Client by choosing the RDP access method from your UDF environment page. 
 
-Go back to the Module 1 / Lab 3 page and run through the hacks. They should fail. Click `here <https://clouddocs.f5.com/training/community/waf/html/waf2023/module1/lab2.html>`_ to jump to that page and then click the browser back button to come back to this page to compare your results.
+**user: f5student**
+**password: f5DEMOs4u!**
 
-Task - Compare results of XSS hacking attempt
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. image:: ../images/rdp.png
 
-The attempt to injected the XSS hack via the order parameter should fail and the you should see something similar to this on the page:
 
-.. image:: ../images/mod3lab1-xss.png
+Explore DVGA
+~~~~~~~~~~~~
 
-The search results will not produce the parameter value on the screen since the request was blocked by the XSS signatures applied.
+#. Once logged in, launch Chrome Browser and go to http://dvga.f5appworld.com.
 
-Task - View the Application Request Logs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#. Scroll down to “Got Stuck?” section and click “Solutions” link.
 
-Navigate to **Security -> Event Logs -> Application -> Requests** where you should see an illegal request for the URI ``/rest/track-order/``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type. Also, make sure to scroll to the bottom of the Decoded Request section to see the string that was entered in the form.
+.. image:: ../images/dvga_stuck.png
 
-.. image:: ../images/event_log_xss.png
+3. Select an attack type...in this case select **"Batch Query Attack"**
 
-Task - Compare results of SQL injection hacking attempt
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. image:: ../images/challenge_s.png
 
-The attempt to inject the malicious SQL query should fail and the you should see something similar to the following in your browser:
+4. Click the green "Show" button.
 
-.. image:: ../images/block_sql_injection.png
+.. image:: ../images/batch_query.png
 
-Task - View the Application Request Logs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Navigate to **Security -> Event Logs -> Application -> Requests** where you should see an illegal request for the URI ``/rest/products/search``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type. You can see the query at the top of the Decoded Request section.
 
-.. image:: ../images/log_sql_injection.png
+.. NOTE:: Each solution may show a script or just a graphQL payload to use to execute the attack. If it shows a script, you will find a script file matching that attack type in the /graphql directory in the user’s home directory. If the solution shows a GraphQL payload you may choose either the GraphiQL Chrome extension or Burp Suite to execute the attack. After each attack you should review the WAF logs to see the results and which violations triggered. See the “Review Waf Logs” section at the end of Lab 2 for instructions.
 
-Task - Compare results of an unauthorized file access attempt
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The attempt to download the file in the ``/encryptionkeys`` directory fails with the following message:
 
-.. image:: ../images/support_id_file_1.png
 
-Task - Search for log entry using a Support ID
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Navigate to **Security -> Event Logs -> Application -> Requests** and then click on the ``Open Filter`` icon (beside Order by Date / Newest) and then enter the support ID shown on the blocked page in the Support ID field at the bottom of the filter window then click the ``Apply Filter`` button:
 
-.. image:: ../images/support_id_1.png
 
-Task - View the Application Request Logs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Once the filter is applied you should only see one illegal request for the URI ``/encryptionkeys/premium.key``. Click on that request and explore details of the rejected request by clicking on the Violation listed and the Attack Type.
 
-.. image:: ../images/log_file_access_1.png
diff --git a/docs/waf2025/module3/lab2.rst b/docs/waf2025/module3/lab2.rst
index c998836a..8980394d 100644
--- a/docs/waf2025/module3/lab2.rst
+++ b/docs/waf2025/module3/lab2.rst
@@ -1,89 +1,96 @@
-Lab 2 – Use the F5 WAF Tester Tool
-----------------------------------
+Lab 2 - Execute Attacks and Review Logs
+---------------------------------------
 
-Objective
-~~~~~~~~~
+Execute an attack via a python script
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- Install the F5 WAF Tester Tool
-- Configire the F5 WAF Tester Tool
-- Use the F5 WAF Tester Tool 
 
-Task - Install the F5 WAF Tester Tool
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#. Open Terminal on the Linux jump host
 
-RDP into the Client Jumpbox. 
+#. cd /graphql
 
-.. image:: ../images/rdp-ubuntu.png
+#. python3 <script name>
 
-Open a terminal and browse to the f5student home directory  **/home/f5student**
+.. image:: ../images/py_term.png
 
-.. image:: ../images/f5student-home.png
 
-Perform an **apt** update to ensure we have the right libraries unstalled  
+Execute an attack using the GraphiQL Chrome extension
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-``sudo apt update``
+#. Copy the graphQL payload from the Solution
 
-Install pip for python3
+.. image:: ../images/deep_recur.png   
 
-``sudo apt install python3-pip``
+2. Open GraphiQL Chrome extension
 
-Confirm the pip version
+#. Enter http://dvga.f5appworld.com/graphql into the target field
 
-``pip3 --version``
+#. 4.	Paste the graphql payload from solution
 
-Now install the **f5-waf-tester**
+#. Send the request
 
-``pip install git+https://github.com/aknot242/f5-waf-tester.git``
+.. image:: ../images/graphiql.png
 
-.. image:: ../images/f5-waf-tester-installed.png
 
 
-Task - Configure the F5 WAF Tester Tool
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Execute an attack using the Burp Suite
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-While still on the terminal where you installed the F5-WAF-Tester, enter the code below to begin the configuration: 
+#. Open Burp Suite from the desktop icon
 
-``f5-waf-tester --init``
+.. image:: ../images/burp.png
 
-You will be asked a series of questions for the configuration. Enter the following below into the appropiate fields. Any other fields that are propmted, just hit enter to leave blank. 
 
-.. code-block:: bash
+2. Click “Next” and “Start Burp”.
 
-  [BIG-IP] Host []: 10.1.1.4
-  [BIG-IP] Username []: admin
-  [BIG-IP] Password []: f5demos4u!
-  Virtual Server URL []: https://juiceshop.f5agility.com
+#. Go to the “InQL” Burp extension tab.
 
-Your Confoguration prompts will look like this: 
+#. Enter http://dvga.f5appworld.com/graphql in the GraphQL Endpoint field.
 
-.. image:: ../images/f5-waf-tester-config.png
-  
-If you need to edit the configuration, re-initialize the tool by running ``f5-waf-tester --init`` again. Then enter your changes. 
+#. Click "Analyze"
 
-Task - Use the F5 WAF Tester Tool
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. NOTE:: This will run introspection on DVGA and return the entire schema.  You should see violations in the WAF logs for this.
 
-Run the tool as follows: 
+6. You should now see a directory for DVGA in the schema folders below.
 
-::
+#. Expand the DVGA folder and the date-specific folder.
 
-    f5-waf-tester -r f5_waf_tester_report_1.json
+#. Select the request type that best matches the attack payload youa re trying to use.
 
-.. note:: When using this tool at home and many of the tests fail, the signatures may be out of date. Ensure the latest signatures have been installed. The following article provides instructions on how to do that: https://support.f5.com/csp/article/K82512024. This lab does have an up to date signature set installed. 
+#. In the GraphQL paylod area to the right, right-click and select "Send to Repeater"
 
-.. note:: Also check the configration attributte **URL** of the **f5-waf-tester** tool if most of the tests have failed. It is possible the testing tool is not sending traffic to the right location. 
+.. image:: /images/inql.png
 
-Quickly check how many tests passed and failed:
 
-::
+10. Select the "Repeater" tab
 
-    grep true f5_waf_tester_report_1.json | wc -l
-    grep false f5_waf_tester_report_1.json | wc -l
+#. Paste the attack paylod from the SOlution into the Request area.
 
-View the results of the test:
+#. Click "Send"
 
-::
+#. Review the response.
 
-    less f5_waf_tester_report_1.json
+.. image:: /images/repeater.png
 
-Continue to tune your WAF policy and check the OWASP Dashboard and then re-run the F5 WAF Tester.
\ No newline at end of file
+
+
+Review WAF Logs
+~~~~~~~~~~~~~~~
+
+#. In Chrome on the LInux jump host, go to the F5 Advanced WAF shortcut and Login
+
+**user: admin**
+
+**password: f5demos4u!**
+
+2. Navigate to the WAF Request Logs screen
+
+#. Select the request with your most recent attack
+
+#. Review the request and any GRAPHQL violations that may have triggered.
+
+.. image:: ../images/waf_log.png
+
+
+
+**Congratulations! You have just completed Module 4**
diff --git a/docs/waf2025/module3/module3.rst b/docs/waf2025/module3/module3.rst
index d0e22e3a..71e19b06 100644
--- a/docs/waf2025/module3/module3.rst
+++ b/docs/waf2025/module3/module3.rst
@@ -1,10 +1,10 @@
-Module 3 – Test Your WAF Policy
-===============================
+Module 3 - Protecting GraphQL Applications with F5 Advanced WAF
+===============================================================
 
-This module will guide you through testing the effictiveness of the WAF policy you just built by attempting the XSS and injection hacks performed in Module 1. In addition, the F5 WAF Tester Tool will be leveraged to test the policy and provide a report on its status.
+In this module you will be using the “Solutions” provided in the DVGA GraphQL application to send attacks using various tools.
 
 .. toctree::
    :maxdepth: 1
    :glob:
 
-   lab*
\ No newline at end of file
+   lab*
diff --git a/docs/waf2025/module4/lab1.rst b/docs/waf2025/module4/lab1.rst
deleted file mode 100644
index 97e54d3b..00000000
--- a/docs/waf2025/module4/lab1.rst
+++ /dev/null
@@ -1,52 +0,0 @@
-Lab 1 - Find DVGA Attack Types
----------------------------------------
-Objective
-~~~~~~~~~
-
-Familiarize yourself with DVGA and Challenge Solutions
-
-
-Connect to the Linux Client
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. NOTE:: All steps in this lab exercise will be performed from the Linux jump host.
-
-#. On your UDF page, go to your Client component, click the Access drop down menu and choose RDP 
-
-#. RDP to the Linux Client by choosing the RDP access method from your UDF environment page. 
-
-**user: f5student**
-**password: f5DEMOs4u!**
-
-.. image:: ../images/rdp.png
-
-
-Explore DVGA
-~~~~~~~~~~~~
-
-#. Once logged in, launch Chrome Browser and go to http://dvga.f5appworld.com.
-
-#. Scroll down to “Got Stuck?” section and click “Solutions” link.
-
-.. image:: ../images/dvga_stuck.png
-
-3. Select an attack type...in this case select **"Batch Query Attack"**
-
-.. image:: ../images/challenge_s.png
-
-4. Click the green "Show" button.
-
-.. image:: ../images/batch_query.png
-
-
-
-.. NOTE:: Each solution may show a script or just a graphQL payload to use to execute the attack. If it shows a script, you will find a script file matching that attack type in the /graphql directory in the user’s home directory. If the solution shows a GraphQL payload you may choose either the GraphiQL Chrome extension or Burp Suite to execute the attack. After each attack you should review the WAF logs to see the results and which violations triggered. See the “Review Waf Logs” section at the end of Lab 2 for instructions.
-
-
-
-
-
-
-
-
-
diff --git a/docs/waf2025/module4/lab2.rst b/docs/waf2025/module4/lab2.rst
deleted file mode 100644
index 8980394d..00000000
--- a/docs/waf2025/module4/lab2.rst
+++ /dev/null
@@ -1,96 +0,0 @@
-Lab 2 - Execute Attacks and Review Logs
----------------------------------------
-
-Execute an attack via a python script
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-
-#. Open Terminal on the Linux jump host
-
-#. cd /graphql
-
-#. python3 <script name>
-
-.. image:: ../images/py_term.png
-
-
-Execute an attack using the GraphiQL Chrome extension
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-#. Copy the graphQL payload from the Solution
-
-.. image:: ../images/deep_recur.png   
-
-2. Open GraphiQL Chrome extension
-
-#. Enter http://dvga.f5appworld.com/graphql into the target field
-
-#. 4.	Paste the graphql payload from solution
-
-#. Send the request
-
-.. image:: ../images/graphiql.png
-
-
-
-Execute an attack using the Burp Suite
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-#. Open Burp Suite from the desktop icon
-
-.. image:: ../images/burp.png
-
-
-2. Click “Next” and “Start Burp”.
-
-#. Go to the “InQL” Burp extension tab.
-
-#. Enter http://dvga.f5appworld.com/graphql in the GraphQL Endpoint field.
-
-#. Click "Analyze"
-
-.. NOTE:: This will run introspection on DVGA and return the entire schema.  You should see violations in the WAF logs for this.
-
-6. You should now see a directory for DVGA in the schema folders below.
-
-#. Expand the DVGA folder and the date-specific folder.
-
-#. Select the request type that best matches the attack payload youa re trying to use.
-
-#. In the GraphQL paylod area to the right, right-click and select "Send to Repeater"
-
-.. image:: /images/inql.png
-
-
-10. Select the "Repeater" tab
-
-#. Paste the attack paylod from the SOlution into the Request area.
-
-#. Click "Send"
-
-#. Review the response.
-
-.. image:: /images/repeater.png
-
-
-
-Review WAF Logs
-~~~~~~~~~~~~~~~
-
-#. In Chrome on the LInux jump host, go to the F5 Advanced WAF shortcut and Login
-
-**user: admin**
-
-**password: f5demos4u!**
-
-2. Navigate to the WAF Request Logs screen
-
-#. Select the request with your most recent attack
-
-#. Review the request and any GRAPHQL violations that may have triggered.
-
-.. image:: ../images/waf_log.png
-
-
-
-**Congratulations! You have just completed Module 4**
diff --git a/docs/waf2025/module4/module4.rst b/docs/waf2025/module4/module4.rst
deleted file mode 100644
index b707639f..00000000
--- a/docs/waf2025/module4/module4.rst
+++ /dev/null
@@ -1,10 +0,0 @@
-Module 4 - Protecting GraphQL Applications with F5 Advanced WAF
-===============================================================
-
-In this module you will be using the “Solutions” provided in the DVGA GraphQL application to send attacks using various tools.
-
-.. toctree::
-   :maxdepth: 1
-   :glob:
-
-   lab*