Chapter 6 - : Policy tuning and violations 6-1 Chapter 6: Policy Tuning and Violations Chapter Objectives ‘After completing this chapter you will be able to: ‘© Define a false positive violation © Explain how violations are categorized © Define policy enforcement mode ‘Define the Enforcement Readiness Period ‘© Explain how staging can help prevent false positives ‘© Define the Learn, Alarm, and Block settings # Define and configure a blocking response page # Locate violations and view learning suggestions © Take action on learning suggestions for a specific violation Post-Configuration Traffic Processing ‘After configuration is complete, the security policy is built during a period of time during which HTTP traffic is observed. Enforcement of policy rules must be phased in gradually, as the policy is tuned appropriately without breaking the application ASM is intended to protect, or interfering with the user experience, Figure 1: A simpliied policy ifecycie starts with reviewing violations, then identifying false positives, then deciding whether or not to adapt the policy rules in order fo prevent false positives from recurring. Berens (artes, Defining False Positives ‘A false positive is an instance when ASM treats a legitimate request as a violation. False positives are ‘caused because logic and rules for handling the request have yet to be correctly configured. As stated previously, false positives can effectively break the application ASM is intended to protect, and can negatively influence the user experience with the application—particularly ifthe security policy is configured to block certain requests. One of the difficulties in configuring a policy is differentiating Configuring BIG-IP ASM v12 6-46-2 Chapter 6 - : Policy tuning and violations between violations which are actual attacks and those which are not. Some violations may be triggered by ious activity. Others might be triggered by a flaw in the security policy which cannot differentiate ~ between legitimate and illegitimate use of the application, ASM has a modular blocking capability, allowing a combination of positive and negative security. This 7 ‘means that you can configure handling certain violations, such as HTTP protocol compliance failure, independently from violations which require more time to interpret. The idea is that ASM can block some violations, which are probably not false positives, from day one, while allowing you to review other - violations that may reflect legitimate request. How Violations Are Categorized _ A violation is anything that is not in accordance with the rules set forth in the security policy. Broadly, ‘ASM categorizes violations as entities violations or items violations with either internal attributes (such as byte lengths) or governed by strict rules (such as attack signatures).A violation can indicate a mismatch - to an explicit security policy definition, such as the allowable number of bytes that can be entered into a ‘web form, or to something that is not explicitly allowed, such as an HTTP request for an executable fi ‘The violation type determines what mitigation options, if any, are presented to the administrator for assessment. To reiterate an earlier point, itis important to ensure that attempts to mitigate a violation do not have the unintended consequence of breaking the application or a user's interaction with it - Entities violations Entities are the objects and HTTP methods comprising your web application. Each entity is categorized by its type. The table below lists a few common entity types. Entity Types (partial list) Filetypes | URLs | Parameters | Cookies | Headers | HTTP methods 7 An entity is a configuration object which can satisfy the following conditions: Ithas at least one configurable attribute (such as byte length) in the context of the policy Itcan have multiple occurrences Iemay be subject to staging (except Content Profiles and Redirection domains) ‘© New instances of the entity may be learnable (suitable for addition to the security poticy) 62 Configuring BIG-IP ASM v12.Chapter 6 - : Policy tuning and violations 63 Items violations Items violations are objects that indicate what to check in the respective violation and exist in one of three states in the security policy: © Present and enabled ‘© Present and disabled ‘© Not present ‘Violation Items (partial list) HTTP protocol | Evasion checks techniques Attack signatures CSRF | Data Guard | Geolocations “Attack signatures are notably different from the other items because they can be subject to staging. However, for the scope of the policy or in the case of their assignment to a specific parameter, attack signatures are either enabled or disabled, lations are organized in the following categories on the Policy Building Settings screen in ASM: Violation Categories Violation Description illegal HTTP status in response || Server response contains an HTTP status code that is not defined in the ____|[_security policy. illegal session ID in URL. ‘The request contains a session ID value that does not match the session ID value which was set by the server to this session. [Request length exceeds defined || ‘The incoming request is larger than the maximum memory buffer size of buffer size ASM. [Failed to convert character ‘The incoming request contains a character that does not comply with the encoding of the web application (the character set of the security policy), and ASM cannot convert the character to current the encoding illegal Base64 value "ASM checks that the value in the request is a valid Base64 string. If the value is indeed Base64, ASM decodes this value and continues with its security checks. legal meta character in value "ASM checks that all parameter values, XML elementattribute values, or || JSON values within the request contain only meta characters defined as : é i ||Virus detected The incoming request includes a file containing a virus or worm. Configuring BIG-IP ASM v12 6-36-4 Chapter 6 - : Policy tuning and violations HTTP protocol compliance failed violations ASM reports Request for Comment (RFC) violations when the format of an HTTP recuest violates the HTTP RFCs. REC documents are the general specifications that summarize the standards used across the internet and networking engineering community. RFCs, as they are commonly known, are published by the International Engineering Task Force (IETF). (For more information on RFCs, see http://www. ietf org/rfe). The list of subviolations is below. lViolation [Description [POST request with Content- || Examines the content-length header of POST requests, checks if the ILength: 0 || method used is POST, and the request is not chunked, If the content- length header value is equal to 0, ASM issues a violation because POST requests should usually contain a non-zero length body. [Header name with no header valuel| ASM verifies that each header name in the request has an as value. Several Content-Length headers |[ More than one Content-Length header in a request is not part of the HTTP || ||_RFC and can indicate and HTTP response splitting attack | (Chunked request with Content- [A chunked request is a request whose body comes in chunks where each [Length header chunk length is specified separately. The whole request is not supposed to have a content length header. A chunked request with a content-length 2 |_header is an RFC violation and indicates a non-standard request. Body in GET or HEAD requests _||_ Normal traffic should not have a body in GET or HEAD requests. [Bad multipartform-data request || When the content type of a request header contains the substring [parsing "Multipart/form-data’’, ASM checks whether each multipart request chunk | contains the strings "Content-Disposition" and "Name". If they do not, a violation is issued. [Bad multipart parameters parsing ||ASM checks the following: 1. A boundary follows immediately after request headers [2. The parameter value matches the format: ‘nam« param_key"vin, {. A chunked body contains at least one CRLF. l4, A chunked body ends with CRLF. lif one of these is false, ASM issues a violation, [No Host header in HTTP/I.1 _|iThe RFC for HTTP/1.1 requires a HOST header in the request. Requests request lwithout a HOST header may indicate a non-browser client. “I ICRLF characters before request _||Any request which starts with CRLF (\rin) is a suspicious request. start | |Fest headercontains P address An IP address inthe HOST header implis thatthe request was generated | | lby using the IP address in the browser (instead of the DNS name, | | hwww.example.com). This is usually non-human behavior. 6-4 Configuring BIG-IP ASM v12Chapter 6 - : Policy tuning and violations 6-5 [positive number |Content length should be a [The Content-Length header value should be greater than zero; only a Inumeric positive number value is accepted, [Bad HTTP version [An attacker may try to force the application to use an older version of the |: TP protocol in order to take advantage of weaknesses in the older Iprotocol. | Ee = _ a INull in request lull in request is an exploitation technique used to bypass sanity checking litters by adding URL encoded null-byte characters to user-supplied data, |When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level \c-functions for further processing and functionality. Ifa user-supplied [string contains a null character (\0), the web application may stop Iprocessing the string at the point of the null. IHigh ASCII characters in headers |Checks for high ASCH characters in headers (greater than 127). This technique is commonly used as a way to hide Various attacks, such as XSS. \Unparsable request content IBy sending a payload which is not formatted properly, attackers try to lattack the HTTP parser. This can result in denial of service, buffer loverflows, and various application crashes, headers ICheck maximum number of |ASM enforces the maximum number of headers allowed by the ladministrator. ||Bad host header value |ASM enforces RFC-compliant header values. For example, Host. | is not an acceptable value. ICheck maximum number of By sending an HTTP request that contains too many parameters, attackers [parameters. liry to attack the web server parser. This can result in denial of service, lbuffer overflows, and various application crashes. The maximum number of} parameters can be configured by the administrator. [Multiple host headers |An attacker may try to evade security checks by confusing application Iservers as to which hostname is being accessed, Attack signature violations occur when an incoming request contains a string pattern that matches a regular expression in the security policy's negative regular expressions pool. There are more than 2,000 attack signatures provided by default, and custom attack signatures can also be created. Configuring BIG-IP ASM v12 6-56-6 Chapter 6 - : Policy tuning and violations Evasion technique detected violations ‘An evasion attempt is typically detected by ASM when the format of the request contains encoding or formatting that represents an attempt to bypass attack signature detection. The subviolations in this category are below: lation [Description [Directory traversal ASM ensures that directory traversal commands such as././ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them, Directory traversals can be used to bypass the web server root and request various files, including system files or private || directories and resources |Muttipte decoding Multiple encoded requests can be used to hide varicus attacks such as cross site scripting, directory traversal, SQL injections, and others. ASM decodes URI and parameter values multiple times (according to the number specified by the admin) before the request is considered an evasion, | ‘ASM performs Microsoft You unicode decoding (%UXXXX where X is a hexadecimal digit). For example, ASM turns a%u002Mb to a/b. ASM performs this action on URI and parameter input to evaluate if the request contains an attack, (Pou decoding |[MS backslashes || The incoming request contains a character that does not comply with the | encoding of the web application (the character set ofthe security policy), and ASM cannot convert the character to current the encoding, [IS interprets backslashes as slashes so attackers can take advantage of it, For | example, itis possible to request the following file with backslashes GET \.\.\-emd.exe, It is recommended to enable this check if the application does not need to receive backslashes for its normal operation. TIS Unicode endpoints ‘ASM handles the mapping of IIS character is greater than ‘Ox00FF, ASM decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, ASM | tums a%u2044b to a/b, ASM performs this action on URI and parameter input specific non-ASCil codepoints. When a | | | |Bare byte decoding ‘ASM detects higher ASCII bytes (greater than 127). For example, in some cases the ASCII OxBC character ean be decoded as the Quotation marks in the cookie name. ls A space in the cookie name or cookie value. J+ An equal sign (=) in the cookie name. J+ Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed le An equal sign (=) before the cookie name. le A-carriage return (hexadecimal value of Oxd) in the cookie name. Illegal cookie length IThe request includes a Cookie header that excceds the acceptable length as |specified in the security policy. |ASM Cookie Hijacking [The request contains an ASM cookie that was created in another session. [Expired timestamp [The timestamp in the HTTP cookie is old, which indicates that a client session has expired. [Modified ASM cookie [rhe request contains an Application Security Manager (ASM) cookie that Ihas been modified. [Modified domain cookie(s) |ASM checks that the web application cookies within the request have not lbcen altered, and verifies that the request includes a web application cookie \defined in the security policy. Configuring BIG-IP ASM v12 6-116-12 Chapter 6 - : Policy tuning and violations, Content Profile Violations ASM security policies can protect applications created from various frameworks and web services technologies such as Google Web Toolkit (used to create AJAX applications), XML, SOAP, and others. For each technology, a profile must be created in order to define what the application security policy enforces when it processes HTTP traffic. Examples are given below: Violation Description |Google Web Toolkit (GWT) data ||ASM ensures that the request data matches the various payload limits of ldoes not comply with format that GWT profile. settings [The request contains a SOAP message in which there is an attachment that not permitted by the security policy IMegal attachment in SOAP Imessage | [JSON data does not comply with |The request contains ISON data that does not comply with the defense format settings {configuration in the security policy’s ISON profile. IMalformed GWT data |ASM ensures that the request conforms to the GWT siandard. For example, |ASM checks that the first 3 tokens are positive intege's, the third integer the number of strings below, and all the other values ere positive integer IMalformed JSON data [The request contains JSON data that 1s not well-formed. IMalformed XML data [The request contains XML data that is not well-formed, according to W3C standards. |SOAP method not allowed |The SOAP method is not defined in the security policy. For example, if'a |web service contains debug methods which were used during development land are described ina WSDL, an administrator can make sure that these are \disallowed by ASM. ee XML data dees not comply with |} The request contains a SOAP method that is not permitted by the security | format setings policy. XML data does not comply with |The request contains XML. data that does not match the schema file or ||schema or WSDL document WSDL document that is part of the XML profile. 6-12 Configuring BIG-IP ASM v12Chapter 6 - : Policy tuning and violations 613 Web Services Security failure violations Web services generally describes a collection of different technologies which enable a client to retrieve data from a server using Simple Object Access Protocol (SOAP). SOAP data is received by the server after a client request, and relies on HTT! ‘Web services security can protect XML-based web applications by embedding security-related data within SOAP messages. ASM web services security configuration can encrypt and decrypt parts of SOAP message, digitally sign parts of SOAP messages, and verify parts of SOAP messages using digital signatures. ASM violations are listed below. \Violation |Description Iimternal Error |The ASM web services security offload engine was confronted with an unexpected scenario, and cannot continue parsing. [Malformed Error |ASM was confronted with a malformed document, and has stopped parsing the ldocument. This can occur when the document contains characters that are illegal laccording to the W3C XML 1.0 recommendation. \Cettificate Expired [The client certificate, extracted from the document has expired. \Certificate Error The client certificate, extracted from the document, is invalid, Possible reasons are Ithat the certificate structure is invalid and cannot be parsed, or that it was not found in Ithe key store. Decryption Error |An encrypted section in the request could not be decrypted. Possible reasons are that Ihe message could not be decrypted because no Key information was found, or thatthe) lencryption algorithm is not supported. [Encryption Error |ASM cannot encrypt a section requested by the user. This can occur if no key information was detected in the request. Signing Error [The underlying crypto library failed to sign the document. \Verification Error [The underlying crypto library failed to perform signature verification. ||Missing Timestamp IThe timestamp is missing from the document. linvalid Timestamp (The timestamp is not correctly formatted according to document specifications. [Expired Timestamp |The timestamp has expired. [Timestamp expiration is too far in the future [The timestamp lifetime is greater than what is configured. |UnSigned Timestamp [The timestamp is missing a digital signature. Configuring BIG-IP ASM v12 6-136-14 Chapter 6 - : Policy tuning and violations Cross Site Request Forgery Violations Cross site request forgery (CSRF) violations can occur when ASM detects an attempt to trick an end user of an application (in which he or she is currently authenticated) into unknowingly completing actions of the attacker's choosing Violation [Description ICSRF attack detected ||ASM ensures thatthe request is legitimate and comes from the web lapplication itself and not from a clicked link or embedded malicious HTML lor JavaScript that resides on other web applications. [CSRF authertication expired _ ASM enforces an expiration time for the CSRF token, and when this time lexpites, this violation is issued. IP Addresses/Geolocations Violations IP address and Geolocation violations can occur when ASM detects a request from a disreputable IP address (one that is listed in the IP Intelligence database) or from a country that has been disallowed, Violation |Description |Access from disallowed |ASM checks whether clients are accessing the web application from |Geolocation lallowed geographical locations, ot from disallowed geographical locations, laccording to the security policy. [Access from malicious IP address ||The IP Intelligence database checks every source IP address against a |dynamic blacklist, which is continuously updated. It can identify IP addresses associated with high risk, such as anonymous [proxies, Tor exits, phishing proxies, botnets, and scanners. 6-14 Configuring BIG-IP ASM v12Chapter 6 - : Policy tuning an Header Violations \d violations 6-15 Violations involving headers can occur if ASM detects the absence of a header which the administrator has defined as mandatory, the presence of a method in the header which is not allowed, or illegal byte length and/or meta characters (characters such as !@#8%"&).. [Description [Mandatory HTTP header is Imissing |ASM has detected a request which does not contain a header configured as lmandatory. | IMlegal method |ASM has detected a request containing a method which has not been lconfigured as allowed. Illegal header length |ASM has detected a header with a byte length greater than what is allowed iby the policy. Illegal meta character in header |ASM has detected a metacharacter in a request header. The metacharacter is Inot allowed by the security policy. domain than the one in which th target domain. Redirection Protection Violation Redirection protection violations can occur when ASM detects that @ user is being redirected to a different 1e server is currently in, and the domain is not configured as an allowed fiolation Description IMlcgal redirection attempt |ASM has detected that the server tries to redirect the user to a target domain | hat is not defined in the policy. Web applications can use the "Location" |response header to redirect their users to another resource (Page) in the lapplication or in another website. Bot Detection Viol: A bot (web robot) detection viol not an automated bot. ation lation can occur if ASM has detected that a client cannot prove that it is Violation |Description |Web scraping detected The web client, or user agent, does not demonstrate human behavior. It is, suspected of performing web scraping. Configuring BIG-IP ASM v12 6156-16 Chapter 6 - : Policy tuning and violations Data Guard Violation A Data Guard violation can occur if Data Guard is enabled on the security policy, and data that should not bbe visible in the logs or the GUI (such as a credit card number) is in an HTTP response. Violation fecripton ‘Data Guard: Information leakage |ASM has detected sensitive data, such as eredit card digits or other detected configurable data, in a response. If File Content Detection, such as for MS [Office files, is enabled, ASM will alert that a restricted resource is present inthe HTTP response. (User-defined) Violations An administrator can create and apply custom violations to a security policy. This provides flexibility for triggering violations that are independent of ASM before or after ASM processes a request. Additionally, user-defined violations can be triggered even if none of the built-in ASM violations are triggered. Violation Rating: A Threat Scale Each violation is rated on a severity scale. Not rated means there is no violation. The lowest rating is @ 1, which most likely indicates a false positive. The highest rating is a 5, which most. likely indicates a real attack. Not rated = no violation Most likely a false positive Looks like a false positive; requires examination Needs further examination Looks like a threat but requires examination 5 Request is most likely a threat Figure 2: Violation ratings are established by calculating various criteria fora specific vaquest. PoONRO ‘Violation rating criteria include attack signature accuracy and severity, and if the souree IP is on a WAN or LAN, Local trafic, for example, is probably less likely to contain a threat than WAN traffic. Other considerations include allowable meta characters, and whether or not a request is triggering multiple attack signatures or multiple attack signature categories. 6-16 Configuring BIG-IP ASM v12Chapter 6 : Policy tuning and violations 6-17 IP Address Intelligence Overview IP Address Intelligence relies on an online IP address reputation service called BrightCloud, which is maintained by a vendor called Webroot. An IP address earns a negative reputation when Brightcloud detects suspicious activity, such as spam or viruses originating from that address. ‘The IP Address Intelligence feature allows ASM to block client requests that originate from IP addresses that have been blacklisted by the Webroot IP Reputation subscription service. It uses a BIG-IP daemon, iprepd, and a matching database file. The daemon does not affect it updates the database file and responds to queries for IP address reputation. Database updates are very 5 minutes. Configuring BIG-IP ASM v12 6-17Lab 6.1 — Triggering and Viewing Violations Objectives: © Trigger a violation * View Request List # Locate Violation Rating Estimated time for completion: 5 minutes Lab Requirements: ‘© IP and port addresses available for use on BIG-IP ASM that can be reached by the client systems «Web application server with appropriate route to retum traffic through each BIG-IP ASM system ‘© Virtual server with Application Security Policy enabled 2 As rity policy based on the Rapid Deployment template Trigger a Violation 1. Go to the index.php page of the auction site via your virtual server. (Click Home at the top of the page.) 2. Inthe Seareh field, enter