Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager
  2. HTTP Protocol

Deep Dive to “HTTP Request” on ASM Module

The ASM (Application Security Manager) module in F5 is designed to inspect and secure HTTP requests as part of its Web Application Firewall (WAF) capabilities. A deep dive into HTTP requests from the perspective of the ASM module involves understanding how it analyzes and processes incoming HTTP traffic to detect and mitigate threats.

Components of an HTTP Request in ASM

  1. Request Line:

    • Method: The HTTP method used (e.g., GET, POST, PUT).

      • ASM inspects the method to detect unusual or restricted usage, such as PUT or DELETE, which may indicate potential abuse.

    • URI (Uniform Resource Identifier): The requested resource on the server.

      • ASM checks for anomalies like excessively long URIs or encoded attacks (e.g., directory traversal, encoded XSS payloads).

    • HTTP Version: The protocol version (e.g., HTTP/1.1, HTTP/2).

      • ASM ensures compliance with supported versions to prevent exploitation of protocol-level vulnerabilities.

  2. Headers:

    • Contain metadata about the request.

    • Common headers analyzed by ASM:

      • Host: Validates the target domain and detects host header injections.

      • User-Agent: Analyzes the client type (e.g., browser or bot) and blocks malicious bots.

      • Referer: Ensures proper referral sources to prevent cross-site request forgery (CSRF).

      • Accept: Identifies acceptable response formats to detect abnormal behavior.

      • Authorization: Validates credentials and protects against unauthorized access attempts.

      • Cookie: Monitors session-related information for tampering or injection attacks.

    • Custom Headers: ASM can inspect and validate custom headers defined by the application.

  3. Body:

    • The payload sent with methods like POST or PUT.

    • ASM applies signature-based detection, pattern matching, and anomaly detection to identify:

      • SQL Injection.

      • Cross-Site Scripting (XSS).

      • Command Injection.

      • File upload vulnerabilities.

  4. Query Parameters:

    • Passed in the URI (e.g., ?id=123&name=test).

    • ASM validates the parameters for length, format, and malicious content.

  5. Cookies:

    • ASM analyzes cookies for tampering, which could compromise sessions or application logic.

ASM Features for HTTP Request Inspection

  1. Signature-Based Detection:

    • Pre-defined and customizable security signatures help detect known attack patterns.

    • E.g., SQL keywords, script tags in input fields, or malicious User-Agent strings.

  2. Behavioral Analysis:

    • Tracks user behavior and identifies deviations from normal patterns.

    • E.g., a sudden burst of identical requests may indicate a bot or attack.

  3. Positive Security Model:

    • Defines what is allowed rather than what is blocked.

    • Only legitimate methods, parameters, and values are accepted.

  4. Attack Signatures for Specific Components:

    • ASM maps signatures to request components, enabling fine-grained inspection.

    • Example:

      • URI-specific attack signatures.

      • Query string validation for parameter-specific attacks.

  5. Anomaly Detection:

    • Detects unusual patterns such as:

      • Abnormally long requests.

      • High request rates from a single source.

      • Encoding techniques (e.g., double URL encoding).

  6. Request Content Profiles:

    • Configures rules for expected input types (e.g., JSON, XML, or multipart).

    • Validates content structure and format to block malformed or malicious data.

  7. Virtual Patching:

    • Applies WAF protections at the HTTP request layer to mitigate vulnerabilities before applications are patched.

  8. Geolocation and IP Intelligence:

    • Tracks the source of HTTP requests to identify and block traffic from malicious regions or blacklisted IPs.

Workflow of HTTP Request Handling in ASM

  1. Request Received:

    • ASM captures the incoming HTTP request and parses its components (headers, body, URI).

  2. Policy Application:

    • Pre-defined security policies are applied based on the application's requirements.

  3. Signature and Behavior Analysis:

    • ASM matches the request against known attack signatures.

    • Behavioral checks identify deviations from normal patterns.

  4. Violation Detection:

    • If the request violates security policies (e.g., malformed requests, detected injections), it triggers a violation.

  5. Logging and Alerting:

    • Logs details of violations for administrators.

    • Alerts are generated for significant threats.

  6. Mitigation:

    • ASM blocks or challenges the malicious request (e.g., using a CAPTCHA, session termination, or direct block).

PreviousHTTP ProtocolNextASM Example: Detecting a Malicious HTTP Request

Last updated 3 months ago