ASM H ANDS -O N E XERCISES
E XERCISE 6.1 – V ERIFY W EB S ITE V ULNERABILITIES
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Provision Application Security Manager
Provision ASM on the BIG-IP system.
In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored from the BIGIP_A_clean_install snapshot (the Security option should NOT appear on the navigation panel).
Open the System > Resource Provisioning page.
o Leave Local Traffic (LTM) set to Nominal.
o Set Application Security (ASM) to Nominal.
Click Submit, and then click OK.
Once the provisioning is complete, click Continue.
TASK 2 – Modify the LAMP_3.4 Image
Make a manual modification to a Web page in the DVWA Web application.
In the VMware library, access and log in to the LAMP_3.4 using the following credentials:
Username: root Password: default
Open File System from the desktop, and then navigate to /var/www/dvwa/vulnerabilities/xss_s.
Right-click index.php and then select Open With Mousepad.
Go to Edit > Find, and search for mtxMessage
Update the maxlength value to \"200\".
Go to File > Save, and then close index.php and File Manager.
Log out of LAMP_3.4.
Exercise 6.1 – Verify Web Site Vulnerabilities
TASK 3 – Configure the DVWA Application
Create a new HTTP monitor, a new pool, a new SSL client profile, and a virtual server to access the DVWA Web application.
Create a monitor using the following information, and then click Finished.
Name dvwa_monitor
Type HTTP
Send String GET /login.php\r\n Receive String RandomStorm
Create a pool using the following information, and then click Finished.
Name dvwa_pool
Health Monitor dvwa_monitor
Members Address Service Port
10.128.20.17 80
Create a new virtual server using the following information, and then click Finished.
Name rdp_virtual
Destination 10.128.10.35:443
HTTP Profile http
SSL Profile (Client) f5demo_client_ssl Source Address Translation Auto Map
Default Pool dvwa_pool
TASK 4 – Verify Web Site Vulnerabilities
Use a Web browser to access the DVWA virtual server and attempt various well-known attacks against the Web site to determine its current security state.
Use a new tab to access https://dvwa.vlab.f5demo.com.
Log into DVWA using the following credentials:
Username: admin Password: password
Command Execution
On the navigation menu, click Command Execution.
Exercise 6.1 – Verify Web Site Vulnerabilities
Type lamp.f5demo.com; cat /etc/passwd into the field and then click submit.
You have exposed the contents of the passwd file on this Web server. With the hostname and a semi-colon preceding the cat command, you are able to retrieve confidential files on the Web server. The goal of command execution attacks is to be able to run arbitrary commands on the target host operating system.
SQL Injection
On the navigation menu, click SQL Injection.
Type 1 into the field, and then click Submit.
The purpose of this feature is to print the ID, first name, and surname of the submitted user ID. This is the expected behavior of this feature.
Change the user ID to 2 and click Submit.
In the User ID field copy and paste the following, and then click Submit:
%' or 1='1
You are presented with all of the users in the database.
In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, database () # The final record displays the database name (dvwa).
In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, table_name from information_schema.tables # Every record after “Bob Smith” displays a table named from this database server.
In the User ID field copy and paste the following, and then click Submit:
%' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a, last_name, 0x0a, user, 0x0a, password) from users #
Every record after “Bob Smith” displays the user ID, first name, last name, user name, and password (in a hash format) of a different user in the users table. A successful SQL injection exploit can read sensitive date from the application database, modify database data, or even delete data or the entire database.
Cross-Site Scripting
On the navigation menu, click XSS stored.
In the two fields enter the following, and then click Sign Guestbook:
Name: Test 1 Message: Great site!
This feature is designed to enables users to leave comments about the Web site.
Create another entry, and then click Sign Guestbook:
Name: Test 2
Message: My credit card: 4111-1111-1111-1111.
Create another entry, and then click Sign Guestbook:
Name: Test 3
Message: My SSN: 123-45-6789.
Exercise 6.1 – Verify Web Site Vulnerabilities
Create another entry, and then click Sign Guestbook:
Name: Test 4
Message: <script>alert("Your system is infected! Call 999-888-7777 for help.")</script>
The information in the message field is JavaScript code. Using Cross-site scripting, a hacker could add anything that JavaScript can do into the field, which then inserts it into the database.
On the navigation menu, click Home, and then click XSS stored.
The user is presented with an alert dialog box. This information is now stored in the application database and will be presented to all users that access this comments page.
Create another entry, and then click Sign Guestbook:
Name: Test 5
Message: <iframe src="https://www.f5.com" width="600" height="500"></iframe>
On the navigation menu, click Home, then click XSS stored, and then scroll down on the page.
The hacker was able to use an iframe to display their Web site on this Web page. All users will see this page when they access this comments page. Cross-site scripting is a powerful exploit because a hacker can insert JavaScript code into the database. When legitimate users access a Web page that references the database record, their device is then susceptible to the malicious content.
Forceful Browsing
Change the URL to https://dvwa.vlab.f5demo.com/private.txt.
Change the URL to https://dvwa.vlab.f5demo.com/basic.css.
Change the URL to https://dvwa.vlab.f5demo.com/calc.exe, and then download this application file.
These are examples of files that are not accessible through links, but are in fact present within the Web server directory. A forceful browsing attack aims to access resources that are not referenced by the Web application, but are still accessible.
Click the Back button until you return the DVWA page.
On the navigation menu, click Setup, then click Create / Reset Database, and then click Logout.
Close the DVWA Web site tab.
In the Configuration Utility, create an archive file named bc_6.1_asm_vulnerabilities_v11.5.1.