For those of you who do not have a lot of experience with HTML parameters you probably have heard to them referred to as fields in your web application.  For example, many web applications have username and password fields and these are essentially parameter fields.  There are sometimes hidden parameters and dynamic parameters that are not associated with a field on the page, but today I want to discuss the basic ones.  I have chosen the TARGET parameter because it is deprecated and it can be used in phishing attacks as a form of “Open Redirect” attack on your web sites.  The user parameter was chosen because it is a pretty common parameter/field name and it just seemed to make sense to include it in the discussion.

An open redirect type of attack will often consist of an attacker creating a URL that will redirect a victim to a site that they control.  This URL is then used in a phishing attack where a user is presented with a valid link in an email and companywebsite.com redirects the user to companywebsite-justgotowned.com… which is the site the attacker controls!  That’s just one type of open redirect attack though, another type focus’s on using the TARGET parameter to redirect a user behind the scenes to a malicious web site.

Needless to say, that’s not good.  What is good though is that protecting against the malicious use of parameters is very EASY to do with BIG-IP ASM.  The first thing that you will want to do, provided you already have an application security policy in place, is to create a Parameter.  Navigate to Application Security, Parameter, Parameters List, select the application policy that you want to modify and click the GO button.

Then click Create.  Give your parameter an explicit name (I used TARGET in my example), select Global Parameter, Data Type should be Alpha-Numeric and check the “Regular Expression” box.  Now you will need to come up with a regular expression that fits your environment.  In my example I am going to define two things.  First I will use the hostname of the web site that is valid and then after the pipe I will define a value for a URL that is still being called in our own code via the TARGET method.  Since it is a relative URL I have to include it because the regex for just the hostname will not cover it.  Below is a screenshot for reference:

The regex looks like this:

.*mycompany.com.*|.*myurlpath.*

Something very important to remember when creating these regular expressions is that whenever you create a parameter value and check the Regular Expression box it is automatically setup as a POSITIVE regular expression.  Therefore whatever is in this box defines what is legal for this parameter/field.  In the example above if a TARGET value is submitted to the web application it must contain “mycompany.com” or “myurlpath” or it will be shot down by the ASM.  This will prevent someone from setting a target of somewhere other than your web site.  This will stop a blatant open redirect attack but certainly not all.  Then click the create button.

Now you will need to tell your web application policy to be on the lookout for violations of this type.  Navigate to Application Security, Policy, Blocking, Settings.  Then scroll down the list until you see “Parameter value does not comply with regular expression”, check the Learn, Alarm and Block check boxes.  Save and then Apply the policy.  That’s it!

When ever a violation happens you will now see this in the manual traffic learning section:

Now to tackle the “user” parameter.  I am going to take a different angle on this one because like I mentioned before, once you understand the principal behind it you will see it can be used in a million different ways to protect your web application.

After looking over a few security logs you might notice that some hackers attempt to utilize the “user” parameter/field in your web application and they will try to throw all kinds of things in there.  One common element I have seen is that they will try to inject a username@yourdomain.com into the field.  Since that is not a valid character for the application I am looking to protect, I am going to block this kind of attack configuring the ASM to block based off of an invalid metacharacter value being placed in the parameter value.

Following the instructions above for creating a new Parameter, except this time instead of using a regular expression, click the Value Meta Characters tab.  Select “@ (0×40)” from the list on the right hand side of the page and then set the value to be disallowed using the drop down box under the set state heading.  Put a check mark in the check characters on this parameter value check box.  Now to configure your web application policy to listen, alarm and block on these kinds of attacks.  Navigate to Application Security, Policy, Blocking, Settings.  Then scroll down the list until you see “Illegal meta character in parameter value”.  Check the appropriate boxes, save and then apply.

Now whenever a would be hacker attempts to inject an invalid character into that field (the @ character in this case, but like I said you can use countless others) they will be smacked down by the ASM.

It’s a piece of cake really once you do it a time or two.  If you get hung up on the regular expression part have no fear!  The kind folks over at F5 Networks have thought ahead and have included a regular expression validator inside of the ASM module.  Just navigate to Application Security, Options, Tools and RegExp Validator.  You can use that tool to compile your regular expression if need be.

Remember when thinking about security related things it is best to take the defense in-depth approach.  Little things added here and there to your web application security policy that do no harm but can mitigate attacks can be very effective.

This was prompted by the fact that I noticed recently that there is not a lot of documentation available on the web regarding the F5 BIG-IP’s Web Scraping Protection mechanism and almost none regarding what it actually does to the underlying web page code presented to your end users.

Web scraping is defined as a computer software technique of extracting information from websites.  The people people running the web scraper program typically save the contents of what is scraped and use it for their own means.  Sometimes it is just for archiving purposes, such as Archive.org’s “WayBackMachine“.  Several companies even sell what is considered by many to be legitimate commercial web scraping software.  One such company is called Mozenda, who lists such clients as Microsoft, IBM and Citi.

But then there are the “Others” as I like to to call them.  This can range from hackers with bad intentions to companies simply seeking a competitive advantage over another company. One example of this that I  can think of dealt with a few websites who make their living by offering vacationing deals.  So these leaders of their industry would publish airfares for many popular destinations on their websites and their competitors would use a computer program to scrape the pricing off of their pages. They would then take this pricing, subtract a few dollars, load it into another program and update the pricing on their own website thereby making their vacation deal offerings just a little cheaper than their competitors!

Web scraping is not an illegal activity, but it can be against the “Terms of Use” for some websites.  Now, all of that being said, it is definitely nice to know that the BIG-IP ASM has a built in feature that you can enable to protect your own websites from being scraped.

It does this by attempting to determine whether a web client source is a human or if it is a headless computer program.  To do this it injects a piece of java script code into the headers of your HTTP traffic. I will not provide the full source code for the java script, but I will hopefully provide enough for those searching through Google to be able to find this page.

When you are viewing the web page being protected by an ASM and web scraping anomaly detection is being actively used to protect the web page you will see the following elements. To actually see these elements, open up Firefox, browse to the website in question and then right-click and select “View Source”. You should see a java script insert beginning very close to the top of the page that contains some of the following elements:

var jsepee
jsepee CSHUI_RANDOM_DATA_NODE
CSHUI_RANDOM_DATA_NODE’]!==undefined&&jsepee['
CSHUI_RANDOM_DATA_NODE
CSHUI_COOKIE_NAME']=jsepee['CSHUI_RANDOM_DATA_NODE
CSHUI_COOKIE_VALUE_TRUE']=’true’+'_’+jsepee
CSHUI_RANDOM_DATA_NODE
CSHUI_MONITOR_KEYBOARD’]=true;jsepee['CSHUI_MONITOR_MOUSE
CSHUI_MOUSEMOVE_EVENTS_TARGETCSHUI_MOUSEMOVE_LAST_X_LOCATION
CSHUI_MOUSEMOVE_LAST_Y_LOCATION']=0;
CSHUI_MOUSEMOVE_IS_CONTINUOUS
CSHUI_KEYBOARD_EVENTS_TARGET’]=1;jsepee
CSHUI_KEYBOARD_EVENTS_COUNTER

You can seen by looking at these events that it is looking for keyboard, mouse and other data to determine if the content is being looked at by a human or something that falls in the OTHER category. Once it has made a determination the web application security policy will follow whatever guidelines you have set under the policy settings.

So there you have it, yet one more reason why the F5 BIG-IP ASM is an excellent tool to be included in your defense in depth lineup.

So that got me to thinking… how can someone do this in an iRule?  I have to admit I haven’t really looked into it that much previously because we utilize an ASM module running on a 4100 unit.  The 4100 can do a lot of different things regarding cookies such as checking if a cookie has been modified and if the cookie was obtained in a previous session.  I figured I would hit the AskF5 database to see what I could turn up and I uncovered this little gem:

when RULE_INIT {
set ::key [AES::key 128]
}
when HTTP_RESPONSE {
set decrypted [HTTP::cookie "MyCookie"]
HTTP::cookie remove "MyCookie"
set encrypted [b64encode [AES::encrypt $::key $decrypted]]
HTTP::cookie insert name "MyCookie" value $encrypted
}
when HTTP_REQUEST {
set encrypted [HTTP::cookie "MyCookie"]
HTTP::cookie remove "MyCookie"
set decrypted [AES::decrypt $::key [b64decode $encrypted]]
HTTP::cookie insert name "MyCookie" value $decrypted
}

There is definitely more to this, so you may want to go check out the full solution article here:  SOL7784.  There is also an awesome 2009 iRule Contest entry that you should check out here. The iRule you will want to look at is the Cookie Tampering Prevention iRule written by Henrik Gyllkrans.

I am stating the obvious here I know, but how many of you out there have worked at places where people guard their security knowledge like it’s KFC’s secret recipe for chicken?  Have you ever had to work with a security expert that can tell you every law of governance, but never truly explain WHY those laws are in place?  Ever talk to a business partner not in I.T. that just didn’t get why the web applications needed to be protected by a web application firewall or why ALL the ports on the firewall couldn’t be opened up?  I talked to a large number of people that worked at well known companies and each said that is the case where they work.  Of the group I talked to it was about 50% from the business arena and 50% from the IT side of the house, but they were all there for a common goal….

The SecureWorld Expo is a place where people can go to learn the WHY.  Not just I.T. folks, but people from all aspects of business as well.  They can talk to industry leaders and experts about things that are going down past, present and future.  It is all about translation and communication of the most up-to-date information available.  How up-to-date is the information that is covered?  The second day of the expo, the speaker Dan Greer came out to the podium and started talking about the SSL Man-in-the-Middle Renegotiation story that just broke in the news.  I have to say my hats off to the folks in the DevCentral community to, shortly thereafter, a way to mitigate the attack showed up on DevCentral (Lupo, thanks for your contribution!)… it can be found in the forums at http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86456&view=topic

Other than the open sharing and exchange of knowledge, the excellent speakers, free vendor loot and good food, the other thing that is great about the SecureWorld Expo is the fact that you get CPE credits for attending the various events.  Depending on the events that you sign up for you can either earn a 12 CPE or a 16 CPE Certificate of Attendance.  This is outstanding for those that have CPE requirements to meet and keep up with.  Not only can you obtain a lot of CPE’s in a short time, but it is also very cost effective.  You definitely get more bang for your buck at a SecureWorld event than you do at many others.

So what was covered in this “Nexum LTM Workshop”?  Quite a bit actually and it was all very well planned out.  The workshop was lead by a gentlemen named Peter Maag, who is a Senior Security Expert with Nexum.  I believe that part of what made this event so much fun for me was that it was obvious that Mr. Maag knew his stuff and (of course) I like talking about the capabilities of the BIG-IP line. 

Peter began by giving a brief introduction, explaining who he was and the services provided by Nexum.  I have to admit that I was unaware that Nexum was such a versatile company.  I believe it is so versatile and one of the fastest growing private companies because of them hiring and keeping talent like Mr. Maag around.  But that is a different philosophical discussion that perhaps I will touch on at some other time.  If I ever take up being a philosopher.

Then after the intro… it was f5 time!  For those in the audience not familiar with the BIG-IP product line Peter gave an overview of products available from f5 Networks.  He took the time to provide a clear picture of each modules functionality and I feel that he did the products justice.  He then steered the presentation to the real meat of the workshop which was the LTM module.  Virtual Servers, Pool Members and Nodes were all explained as well as the basics of configuring load balancing.  We spent some time discussing the full proxy architecture of the LTM module and we where then guided through a load balancing demo.

This lead into a discussion about monitors, persistence profiles, SSL termination and ended with a demo over those concepts.  There were a few questions at this point, as members of the audience asked questions such as “How long are self signed certificates valid for if they are generated on the f5 BIG-IP?” and “What are the different methods available for Cookie Persistence?”.  All of which were answered concisely and followed up with live demonstrations performed on a BIG-IP unit running TMOS version 10.x.  How cool is that?

We then went into a discussion about iRules.  Peter provided a number of examples of how to use iRules to pull off complicated tasks very easily.  In one example he showed how you could direct web traffic coming from an iPhone to a different set of servers than the ones used to serve up content to standard desktop browsers.  To augment the workshop Nexum provided an excellent booklet which just so happens to have a very handy page that lists almost all of the iRule Events that can be used in iRule generation.

We went over several other things, but the jest of this entry isn’t to really rehash everything that we covered.  The purpose is to encourage everyone using the LTM module to go check one of these workshops out.  Peter Maag did a phenomenal job explaining things for newcomers and veterans alike, which is not an easy thing to do.  To summarize, if you have just recently purchased an f5 BIG-IP product or are looking into purchasing one, attend one of these workshops.  You will walk away a wiser person and I cannot think of a better way to sell someone on f5 BIG-IP products.  Once you see it in action you will be wondering why you have stuck with Brand X for so long.

My next entry will be over the value of attending the SecureWorld Expo.  Is it worth the cost if you had to pay for it out of your own pocket?  What are the driving reasons for one to attend such an event?  I will be asking those questions and more soon and you may be surprised by my conclusions.  Stay tuned.

What a great way to segway into my first SecureWorld Expo blog entry!  Be afraid, be very afraid…  I am just kidding of course.  The Expo was excellent and I walked away from the event a wiser person.  It definitely helped me look at things differently and as Ralph Waldo Emerson once said, “Fear always springs from ignorance.” 

Man, oh man.  I think I may have committed a blunder of cosmic proportions.  Are you allowed to quote Yoda and Emerson in the same blog post?  Yes? No?  Anway, moving on…

The Expo started off with an awesome keynote by a very nice man named Jeff Bardin.  His topic was “Extremist Online Social Networks – Jihadis” and I was enthralled the whole time.  The banners that he had up on his very first presentation slide are the same web site banners that I have helped keep off of our network up at work.  When I saw those banners, I knew that he was going to be talking about a topic that hit close to home.

After taking the stage Mr. Bardin began explaining how Jihadis use resources provided by many American companies against America.  He talked about the Madrid train bombings, how Jihadis are using software like vBulletin and hacked copies of various software suites to pull off all kinds of nefarious acts.  He also discussed with great clarity how Jihadis are continuing to demonstrate their technical prowess.

Now I will not provide any more information about his presentation other than that.  Not because I do not want others to have the information, but because I cannot do the subject justice.  Mr. Bardin is an expert in his field and has spent countless hours researching, compiling information and teaching others.  I do not wish to diminish his work in any form or fashion.  Check out that link that I provided and the one at the bottom of this post for more information.

I would advise anyone, if Mr. Bardin is speaking at an event within a 12 hour driving distance, make the drive.  It really was that good.

After his presentation he stayed for a while answering questions.  I waited in the background for a bit, allowing others to ask questions as I listened in an attempt to take in as much information as I could.  When I did finally open my mouth he kindly gave me a his business card and answered all of the questions I had.  Anybody that will go out of there way to answer questions and share knowledge like Mr. Bardin did is a good man in my book.

For those seeking more information about Jeff Bardin and Treadstone 71, here is a link to some great information that will save you a trip to Google: http://blogs.csoonline.com/user/jeff_bardin

So what is coming up next?  Well I can’t go to long without talking about the F5 BIG-IP product line!  I am The F5 Guy after all.  My next post will be about the Nexum LTM Workshop that was lead by Peter Maag.