SlideShare ist ein Scribd-Unternehmen logo
1 von 71
Downloaden Sie, um offline zu lesen
F5 mitigations series
by
• Get security assistance
when you are under attack !
•
•
•
•
•
• F5SIRT@f5.com
• https://f5.com/support/security-incident-response-team-sirt
F5 Security Incident Response Team (F5 SIRT)
1.
2.
3.
4.
5.
•
“ In cryptography, a brute-force attack consists of an attacker
trying many passwords or passphrases with the hope of
eventually guessing correctly. The attacker systematically
checks all possible passwords and passphrases until the
correct one is found.”
I brute forced it
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
1.
•
•
2.
3.
4.
5.
•
•
•
1.
2.
3.
•
•
•
•
Logging profile:
• Log illegal request – can also be log all request but
consider performance before
• Enable application security
• Verify that “login results” is checked - this will help
us to verify that the login fail / success criteria is
working ok. Note that this is not on by default.
• Optional – enable bot defense logging
•
1.
2.
3.
4.
a.
b.
c.
d.
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
HTML form – view source
Interception proxy
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Post
login
*For post login string in the response – make
sure there is no similar word in the response
or false positive will hit you
•
•
•
•
•
•
•
•
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
•
•
•
•
•
•
•
•
•
•
1.
2.
•
•
•
•
•
Hacktivism
Unidentified UserUser
Coffee shop
BF Bot
App
User
User
Local ISP proxy
Office
IP:Y
IP:X
IP:A
•
•
•
Hacktivism
Unidentified UserUser
Coffee shop
BF Bot
App
User
User
Local ISP proxy
Office
IP:Y
IP:X
IP:A
ASM DID: 70
ASM DID: 60
ASM DID: 50
ASM DID: 20ASM DID: 30
ASM DID: 40
ASM DID: 1ASM DID: 2ASM DID: 3
•
•
•
•
•
•
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• to the
URL
•
•
by %
•
by fix
• from the
source IP’s
•
by %
•
by fix
• Measurement for both criteria can be
fine tune
• Failed attempt threshold – ratio / fixed
•
•
1.
• A
• B
2.
• A
• B
1
2
B
A
Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
App
User
If reached thresholds for IP based then:
Only X amount of request is allowed from this IP
Example: Any IP that fails more then 2 times / 10 seconds will send
only history amount of request = attack slow down + less false positive
Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
User
If reached thresholds for URL based then:
Only history amount of request is allowed to this URL for all IP’s
App
Example: Any IP that access the URL that counted 10 failed login / 10
seconds will be rate limit to the history
Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
App
User
Source IP that has 2 failed login /
10 sec will get CSID to see
browser – pass / bot – block
Example: Any IP that failed login 2/10 sec (or 10% increase of
ratio) will get CSID and if will not qualify be blocked
Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
User
ANY IP that failed login threshold reached will get CSID
App
Example: URL failed login reached 10 per 10 second so every IP will get
CSID and will be blocked if not a browser
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
•
•
•
•
•
•
•
Good coverage
• Main changes:
• Same concept for access
validation – sting to failed login
• Source based can track :
• User name
• Device ID
• IP address
• Distributed mode
• Credentials Stuffing
• Easy to configure with simple
thresholds
•
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
•
• By source IP – measure RPS increase from the IP
• By Device ID – measure RPS increase of a device ID
• By Geolocation – measure PRS increase from country
• By URL – measure RPS increase on a URL
•
•
•
•
•
Is stress based good in
this case ? No
AVR top URLs on DoS visibility
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
•
•
•
•
•
•
•
•
•
• Can Web scarping detect brute force ?
Yes, it is also owns anomalies and anti bot
mechanism
This is what happened when I did BF
and WS was on
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
Simple & Impersonating Bots
Bots with cookies / JS capabilities
Bots acting as full browser
Client Capabilities
CAPTCHA Challenge
CSID
Bot Signatures
ASM Signatures
CAPTCHA Challenge
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
Client Side Integrity Defense - Flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
• This is the flow and
timeline of events.
• Transparent to the user,
done under the hood
• Note that request is held at
the ASM and not arriving
the app until checks are
satisfied
• Not all checks are
described here, some are
internal IP.
Send JS test
User Browser DoS Profile App
Request login.php
GET /login.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve
CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.php
HTML of mypage.php
mypage.php
rendered
Send
CAPTCHA
• While the system is still in a
state of attack the offending
source will be presented with
another CAPTCHA every 5
min.
• Same as CSID, request is
held at the ASM until
CAPTCHA is solved
User Browser DoS Profile App
First request GET /sell.php
GET /sell.php (no cookie)
Client Capabilities Challenge response
Return Client Capabilities
verification
Reconstruct request
HTTP Response (cookie)
HTTP Response
GET /img.png (cookie)
Blank page & Set cookie
Original HTTP Request + cookie
Authenticate and decrypted JS results,
Compute browser score based on result
Determine an action based on score
GET /img.png (cookie)
Validate cookie:
format & time stamp
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
Run first then ASM signatures
DNS setting – exempt good bots from testing thus reduce FP e.g. google bot
WAF ASM / Advance WAF - Brute force   lior rotkovitch  f5 sirt v5 clean
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
•
•
•
•
•
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
•
•
•
•
•
•
•
1.
•
•
•
2.
•
•
3.
•
•
4.
•
•
Review those mitigations
when HTTP_REQUEST {
if { ( [HTTP::uri] eq "/index.aspx" && ![HTTP::header exists "Referer"] && [[HTTP::header “User-Agent”]
contains “Firefox/2.2.2”] ) } {
# log and drop the request as invalid
log local0. “INCIDENT - Blocking request from [IP::remote_addr]"
} else {
#Allow this request as a Referer is present
}
}
•
https://twitter.com/rotkovitch
https://www.linkedin.com/in/lior-rotkovitch-b796909/

Más contenido relacionado

Was ist angesagt?

F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?Beau Bullock
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 

Was ist angesagt? (20)

F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
WAF 101
WAF 101WAF 101
WAF 101
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?OK Google, How Do I Red Team GSuite?
OK Google, How Do I Red Team GSuite?
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 

Ähnlich wie WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Lior Rotkovitch
 
Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Sam Bowne
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsMayank Dhiman
 
Testing mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkTesting mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkSusannSgorzaly
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at PostmanAnkit Muchhala
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guideihji
 
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...JosephTesta9
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеSQALab
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionOption3
 

Ähnlich wie WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean (20)

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
 
Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection Solutions
 
Testing mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkTesting mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP framework
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Building a secure BFF at Postman
Building a secure BFF at PostmanBuilding a secure BFF at Postman
Building a secure BFF at Postman
 
Security in php
Security in phpSecurity in php
Security in php
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
The Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA SolutionThe Whys and Hows of Deploying a Secure RPA Solution
The Whys and Hows of Deploying a Secure RPA Solution
 

Mehr von Lior Rotkovitch

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...Lior Rotkovitch
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfLior Rotkovitch
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...Lior Rotkovitch
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfLior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchLior Rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineLior Rotkovitch
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitchLior Rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support   lior rotkovitchWeb Socket ASM support   lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט  Wbt - Web based training הדרכה מבוססת אינטרנט  Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training Lior Rotkovitch
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתLior Rotkovitch
 

Mehr von Lior Rotkovitch (12)

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support   lior rotkovitchWeb Socket ASM support   lior rotkovitch
Web Socket ASM support lior rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט  Wbt - Web based training הדרכה מבוססת אינטרנט  Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
 

Último

Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 

Último (20)

Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 

WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean

Hinweis der Redaktion

  1. This training is provided by the F5 Security Incident Response Team (SIRT) Please E-mail any security related inquiries to <CLICK> f5sirt@f5.com
  2. I have used my own DSMM – Defensive Security Management Methodology . The book is on the way
  3. To consider it failed login: - it this true – i.e. true condition = failed login
  4. Can drop valid users. valid users are for example IP that fails 4 time per 1 minute – likely or not ? It depends
  5. Does CSID will be send to only those who access the URL or for every URL
  6. Is stress based good in this case ? No
  7. This animation illustrates the sequence of events from the initial user request through successful completion of the CAPTCHA challenge. It is similar to Client side integrity defense concept. Another advantage is that by sending CPAPTHA to client that their thresholds increase will have an effect of delaying the user since it will take time until solving the CAPTCHA challenge. Once the CAPTCHA challenge is solved the client will have a cookie that will be validate each request for format and time stamp. After 5 minutes ASM will issue a new CAPTCHAto this client ( keep in mind that this client (source IP or other detections) is exceeding the defined thresholds in the IP detection criteria therefore we can send him CAPTCHA’s as he is a suspect for causing dos)
  8. The first request arrives to the proactive bot defense with no cookie.   The proactive bot defense holds the request and sends the Client Capabilities script back to the browser. Note that the request doesn’t arrive at the server at this point.   The java script then scans the browser and returns results to the proactive bot defense .   Proactive Bot Defense then authenticates and decrypts the java script. The browser score is computed based on the two database comparisons, and finally the action that will be taken is determined. If the score is between 0 and 59, then another response is sent to the browser with a set cookie inside a blank page.   Then the request arrives to the proactive bot defense with the cookie and the original request is sent to the web server.   The following requests will be validated for cookie format and timestamp.   The entire flow describe here is transparent to the user and causes only a minor delay from the web server.
  9. For any question or feedback please send an email to lior@f5.com or the f5sirt@f5.com I’m also at: https://twitter.com/Rotkovitch https://www.linkedin.com/in/lior-rotkovitch-b796909/ http://cybersoc.net