Wednesday, November 29, 2017

The OWASP Top 10 - 2017 vs. BIG-IP ASM

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here's how the 2013 edition compares to 2017.

And how BIG-IP ASM mitigates the vulnerabilities.
Vulnerability
BIG-IP ASM Controls
A1
Injection Flaws
Attack signatures
Meta character restrictions
Parameter value length restrictions
A2
Broken Authentication and Session Management
Brute Force protection
Session tracking
HTTP cookie protection
A3
Sensitive Data Exposure
Data Guard
A4
XML External Entities (XXE)
Attack signatures (see below)
A5
Broken Access Control
File types
URL
URL flows
Session tracking
URL flows
Attack signatures (Directory traversal)
A6
Security Misconfiguration
Attack Signatures
A7
Cross-site Scripting (XSS)
Attack signatures
Parameter meta characters
Parameter value length restrictions
Parameter type definitions (such as integer)
A8
Insecure Deserialization
Attack Signatures (see below)
A9
Using components with known vulnerabilities
Attack Signatures integration
A10
Insufficient Logging and Monitoring
BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks



Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:
  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object - java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)
A quick run-down thanks to some of our security folks.

ps

Related:

No comments:

Post a Comment