Skip to main content
Important: This knowledge repository has been retired. All its content has been migrated to our new repository.
Please search for our articles either on our F5® Distributed Cloud Technical Knowledge Hub or on MyF5.

How to mitigate OWASP Top Ten A02:2021 – Cryptographic Failures

  • Updated

What Happened?

  • How do I protect my environment against OWASP Top Ten Web 2021
  • How to configure Web App & API Protection to mitigate OWASP Top Ten A02:2021 – Cryptographic Failures

Environment

  • F5 Distributed Cloud
  • WAF policy
  • OWASP Top Ten A02:2021 – Cryptographic Failures

 

Resolution/Answer

The focus of "Cryptographic Failures"  is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data. For more information, please visit: A02:2021 – Cryptographic Failures

This time we are going to focus on the following scenario below and how to mitigate this kind of exposure of sensitive data using a WAF/WAAP policy in Distributed Cloud (XC).

To configure the WAF policy enforcement in blocking mode:

  1. Make sure that you already have a LB configured as well as a WAF policy configured. The following articles should help you with this process: HTTP Load Balancer and Application Firewall
  2. Now, let's configure our WAF policy in our LB. To do that, navigate in your XC console to your LB by going to: Home >> Web App & API Protection >> select the namespace in which you configure your LB >> Manage >> Load Balancers >> HTTP Load Balancers
  3. Locate your LB and click on the 3-dot figure at the right of your screen and select "Manage Configuration"
  4. Click on the "Edit Configuration" button at the upper-right corner of the console, select "Web Application Firewall" from the "Edit" Menu, make sure that " Web Application Firewall (WAF)" is set to enable, then just below, select the WAF policy that you have configured in Step #1 and then click on the "Edit Configuration" option.


  5. Verify that all WAF policy setting are configured as "Default" and make sure that the "Enforcement Mode" is set to "Blocking"


  6. Click on the "Continue" button at the bottom-right of the console, and then click "Save and Exit" at the same location.

  7. To verify that the WAF policy is working as expected, we are running a test using the OWASP Juice Shop, which is a vulnerable application configured as backend. Check on the "Additional Information" for details on how we set this scenario.

    When trying to download the "md" file from the ftp server using the "%2500" null byte to bypass the cryptographic restriction, instead of downloading the file, we received the XC blocking page with a support ID:



  8. To verify the Support ID that you just received, go back to the XC console and navigate to Home >> Web App & API Protection >> select the namespace in which you configure your LB >> Overview >> Security, then scroll to the bottom of the console and select your LB:



  9. Once in that page, click on the "Security Analytics" tab where you will see the latest security violations


  10. Click in the "Add Filter" option and then select: "req_id >> in >> insert the Support ID that you received in the juice shop". 

    Please be aware that, by default, the time range for the violations is 5 minutes, but you can adjust that time range as needed.
  11. The result will display the violation details in which you will be able to see detailed information about the source, the request that was made, and below that you will see the detection type, which is "waf_sec_event", the action that was taken, which was a "block" and just below that you will be able to see the reason why that request was blocked, in this case because it detected an "ATTACK_TYPE_HTTP_PARSER_ATTACK"

 

Additional Information

In this scenario, we are using OWASP Juice Shop, which is an insecure web application designed for security training and other related purposes. For more information about the Juice Shop please visit: OWASP Juice Shop

The Juice Shop has a ftp server which has a cryptographic restrictions based on file types, it will only allow unauthorized users to download "md" and "pdf" files from the server. To verify that behavior please see below

  1. Open a browser session and navigate to the URL of the LB you created with the Juice Shop and add /ftp. It will show the contents of the ftp server in the juice shop:



  2. Next, click on the "eastere.gg" file, you will receive an error indicating that only "md" and "pdf" files are allowed:




  3. We can bypass this restriction by adding a null byte like "%2500.md" in the filename we include in the URL:


    You'll see that, instead of receiving the error, it will now allow you to download the "eastere.gg" file:


    The file is just a ".txt" with the following content:

 

Related Content

 

Related articles