OWASP Penetration Testing versus F5 Web Application Firewall (DoS)

Hi everyone,

As I have promissed that in this post will talk about penetration test to the application that reside behind F5 firewall to make our penetration testing a bit challenging and try to find another strategy on doing the penetration testing cycle.

Here below my environment setup

1

For initial I do not setup any WAF yet so it is plain like simple router. Also, I set allow any for both side to communicate freely

Here is the snapshot of my initial F5 configuration

Below is my network firewall rule which allow any to any

2

This is my virtual server configuration

3

Here is below my virtual server security setting

4

The initial setup of the above configuration is just to allow both side (External and Internal) to be able to communicate that allowing my kali linux to establish traffic to web application server.

At this time we will not see any different as our previous setup such let start a bit test

Web content discovery using gobuster

root@dragon:~# gobuster -u http://192.168.201.129 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 2 -q

output :

/index (Status: 200)
/upload (Status: 301)
/wordpress (Status: 301)
/robots (Status: 200)
/INSTALL (Status: 200)
/LICENSE (Status: 200)
/COPYING (Status: 200)
/CHANGELOG (Status: 200)
/server-status (Status: 403)
root@dragon:~#

let check with burpsuite, We can see that burpsuite has a better content discovery becuase it combine the force content discovery and its capability of crawling the web. So it has a better awareness.

5

So let configure the protection by enabling the F5 Application Security Manager DoS Protection. Why do we need to enable this ? The anti DoS function at F5 has the capability to detect the transaction per second generated from single IP so that it is become easier detecting the traffic fluctuation. During the content discovery the application will generate a very large amount of traffic to the server per second that will create traffic spike that make the network security device in between triggered to take action in this case is F5.

Lets configure the F5

  1. Create the DoS profile ( I have created the sample QuRArDOS)

6

2. Here is my simple configuration, This configuration is intended to detect the transaction per second (TPS). It will directly block all the request from the host/ip that detected as DOS generator. The criteria will check the traffic fluctuation when there is gap 5 times bigger (500%) then normal and detecting at least 40 TPS or it will check the transaction up to 200 TPS. When the criteria is meet then F5 will do the block all connection from the source IP. F5 will do the the analyses or escalation period up to 5 seconds whenever the escalation period is surpased then the source will be blocked 300 seconds (5 minutes)

7

3. Lets apply the DOS profile to the virtual server that we want to protect

  • Go to and select the virtual server
  • Go to security tab
  • Select enable the DoS Protection Profile
  • Choose the profile that we just created (QuRarDOS)
  • Click update

8

After the profile is applied then we can try to do the content discovery again and lets see the differences

lets do gobuster

9

Gobuster is suddenly stop and after we retry the content discovery, the connection to the server is block by F5 due to high TPS is meet in the condition.

11

we can find the report says that there were few DoS is recorded in the F5 reporting section.

12

in the above report we can also see the figure of the attack happened, we can see that f5 can track the attack duration and how it mitigate the attack.

lets reduce the speed of the burp to do the discovery

13

By changing this value it will impact to the TPS, We can adjust it to the most effective value which can bypass the TPS detection in F5. To monitor the failed traffic, you can see burpsuite application log like below

14

if you find alot of abandoning discovery due to many errors it could be your connection to the server is block by F5, in this case you can adjust down the value that I circled.

We can see that by the implementation of F5, our scanning phase is not as easy as before again that we need to adjust some of our parameter to compromise the protection. Lets take some more exercise ..

Have a nice try

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s