Security Details


Essential App Protect Detection Events

There are three types of detection events in Essential App Protect: Threat Campaigns, Malicious IP, and High-risk Mitigation.

Threat Campaigns

Threat Campaign detected: The system examines the HTTP message for known threat campaigns by matching it against known attack patterns. HTTPS requests are blocked or reported, depending on the configuration, if they are found to belong to an active, known Threat Campaign.

Malicious IP

Access from malicious IP address: The IP Intelligence database checks every source IP address against a dynamic blacklist, that is continuously being updated. It can identify IP addresses associated with high risk, such as anonymous proxies, Tor proxies, phishing proxies, botnets, and scanners. More information about different Malicious IP Categories is shown below.

Risk: Accepting traffic coming from these source IP addresses may result in a successful attack.

Examples: There is a use case for each category; here are two examples.

  • Example 1: For many websites, the chances that good traffic is coming from a Tor exit node are close to zero.
  • Example 2: To deny access from source IP addresses that are serving as phishing proxies. If you own a forum then you may want to deny access from web spammers.

High-Risk Attack Mitigation

Category Name Description
Access from disallowed Geolocation

The system checks whether users are accessing the web application from allowed geographical locations, or from disallowed geographical locations, according to the security policy.

Risk: Prevents illegal access from disallowed geographical locations.

Examples: Ensures that web applications are to be accessed by users from certain geographical locations.”

Attack signature detected

The system examines the HTTP message for known attacks by matching it against known attack patterns. The attack categories that can be detected are:

  • Cross Site Scripting (XSS)
  • SQL-Injection
  • Command Execution
  • Server Side Code
  • Injection, LDAP Injection
  • XPath Injection…

If you see an attack pattern that matches multiple requests from multiple IP addresses, consider disabling it as it may be a false positive. Signatures in staging are in Alarm only mode. There are multiple overlapping signatures for the same attacks, so in case you need to disable a signature, you still get protection.”

Bad WebSocket handshake request

The system checks that the WebSocket opening handshake complies with the WebSocket RFC.

Risk: By deviating from the standard, an attacker can take advantage of WebSocket stack vulnerabilities and cause unauthorized access to the WebSocket subsystem - enabling data leakage and denial of service.

Examples: By sending an obsolete WebSocket protocol version, the stack can be exposed to vulnerabilities present in draft versions of the WebSocket RFC.”

Data Guard: Information leakage detected

The system examines responses and searches for sensitive information.

Risk: Information leakage can occur due to server misconfiguration, improper application design, SQL injection, and other attacks.

Examples: Use this check to prevent sensitive information leakage.

Disallowed file upload content detected

The system checks that the file upload content is not a binary executable file format.

Risk: An attempt to upload an executable file may be an indication of a Trojan, virus, backdoor/shell attack,
or other server compromise.

Examples: After successfully uploading malicious code to the web server, the attacker runs the program to gain remote access to the server or spread malware to other users of the application.

Evasion technique detected

This category contains a list of evasion techniques that attackers use to bypass detection.

Failure in Websocked framing protocol

The system checks that the WebSocket frames are well-formed and that the frames pertaining to the same message arrive contiguously, complying with the WebSocket RFC.

Risk: By deviating from the standard, an attacker can take advantage of WebSocket stack vulnerabilities and cause denial of service and the execution of disallowed code.

Examples: By sending a reserved opcode in the frame, the attacker may invoke unexpected behavior in the WebSocket stack, that in turn may grant access to privileged resources.

HTTP protocol compliance failed

This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly.

Sub-violations:

  • Bad HTTP version - The system examines the requests to verify that the client requests are using HTTP protocol version 1.0 or higher.
  • Null in request - The system examines the request for the presence of any NULL character (except for a NULL in the binary part of a multipart request).
  • Unparseable request content - The system examines requests for content that cannot be parsed.
  • Multiple host headers - The system examines requests to ensure that they contain only a single “Host” header.
  • No Host header in HTTP/1.1 request - The system examines requests sent by a client using the HTTP version 1.1 protocol to see if it contains a Host header. This is required per RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1.

Risk: Various attacks can be launched over non-standard HTTP requests, for example, response splitting, buffer overflows, and denial of service.

Illegal file type

The system checks that the requested file type is configured as a valid file type, or not configured as an invalid file type, within the security policy.

Risk: Prevents forceful browsing and access to sensitive files.

Examples: Allowing files of the type ‘.php’, or blocking files of the type ‘.exe’. By enforcing the legal file types that the application is using, it is possible to prevent access to operating system files, default installation files, and other files that may reside on the server and contain sensitive information.

Illegal HTTP status in response

The server response contains an HTTP status code that is not defined as valid in the security policy.

Risk: Attackers take advantage of web servers’ error responses to gain information on the underlying infrastructure.

Examples: Prevents information leakage and hides web server errors. Essential App Protect can block responses by their HTTP status code. This can be used to stop the viewing of potentially sensitive error pages.

Illegal metacharacter in header

The system checks that the values of all headers within the request only contain meta characters defined as allowed in the security policy.

Risk: Illegal header. Prevents many attacks, for example, SQL Injection and XSS.

Examples: Send ‘<script (malicious JavaScript here)’. Essential App Protect can stop this request by configuring the ‘<’ as an illegal character within a header. Note: Due to the nature of the traffic, it is very common to see almost all metacharacters in headers, so configure this detection event’s settings carefully.

Illegal metacharacter in parameter name

The system checks that all parameter names within the incoming request only contain meta characters defined as allowed in the security policy.

Risk: Meta characters can be used to execute many attacks, for example XSS, SQL injection, and command injection.

Examples: Essential App Protect can block a request after identifying the character ‘<’ which can be used in a cross site scripting attack.

Illegal metacharacter in URL

The system checks that the incoming request includes a URL that contains only meta characters defined as allowed in the security policy. Enforces a desired set of acceptable characters.

Risk: Meta characters can be used to execute many attacks, for example, XSS, SQL injection, and command injection.

Examples: Essential App Protect can block a request after identifying the character ‘<’ which can be used in a cross site scripting attack.

Illegal metacharacter in value

The system checks that all parameter values, XML element/attribute values, or JSON values within the request only contain meta characters defined as allowed in the security policy. Enforces proper input values.

Risk: Illegal value for user-input. Prevents many attacks, for example, SQL Injection and XSS.

Examples: Send ‘<script> (malicious JavaScript here)’ within a parameter, XML or JSON input value. Essential App Protect can stop this request by configuring the ‘<’ as an illegal character within the value. In case the meta-character is valid, other ways to mitigate these attacks include restricting the length of the input, and applying attack patterns.

Illegal method

The system checks that the request references an HTTP request method that is found in the security policy. Enforces desired HTTP methods; GET and POST are always allowed.

Risk: Attacks and problem that can be avoided:
  • Deleted files from the web server by using the DELETE method.
  • The use of other methods in some cases can lead to information leakage, server compromising, and data manipulation.
Examples:
  • Using the OPTIONS method on web servers can expose all methods which the web server supports.
  • Using the DELETE method can delete files on the web server. However, in some cases, the use of this method is important for the proper functionality of the web application.
IP is blacklisted

The detection event is issued when a request comes from an IP address that falls in the range of an IP address exception marked for “always blocking”, that is, the black list of IPs.

Risk: IP addresses are blacklisted when they are found to belong to attackers that may compromise the application in diverse ways.

Malformed JSON data

The system checks that the request contains JSON content that is well-formed. Enforces parsable JSON requests.

Risk: Sending a request which the web application was not expecting to handle can result in various attacks, like denial of service.

Malformed XML data

The system checks that the request contains XML data that is well-formed, according to W3C standards. Enforces proper XML requests.

Risk: Sending a document which the application was not expecting to handle can result in various attacks, like denial of service.

Note: When a validation file such as a schema is enforced, and the document is malformed, this detection event may not be triggered. Therefore it is not recommended to turn off the ‘XML data does not comply with schema or WSDL document’ detection event when a validation file is used.

Modified Essential cookie

Risks: Illegal cookie. Prevents using other users’ credentials to access the web site. Provides session hijacking mitigation.

Examples: If there are no false positives, this detection event should never happen, and if it does, it means that this is an attack. Null character found in WebSocket text message.

Null character found in WebSocket text message

The detection event is issued if a null character is found in a textual message payload.

Risks: There is a broad range of attacks that can use null byte injection, like OS command injection, directory traversal, and SQL injection.

Request length exceeds defined buffer size

The system checks that the request length is not larger than the maximum memory buffer size in Essential App Protect. Note that this is an internal parameter that protects Essential App Protect from consuming too much memory across all security policies which are active on the device.

Risk: Depletion of BIG-IP resources leaving the application unprotected.

Examples: By default this limit is set to 10 megabytes. In case a website receives large file uploads, consider raising this limit by changing the parameter long_request_buffer_size on the Advanced Configuration screen. F5 recommends consulting with support before modifying advanced options.


Malicious IP Categories

Malicious IP Categories shows various ways Essential App Protect determines that an IP address is malicious. The Access from malicious IP address detection event occurs when your protected application receives a request from an IP address that falls into one or more of the categories listed below.

Category Name Description
Anonymous Proxy IP addresses that are associated with web proxies that shield the originator’s IP address (such as proxy and anonymization services). This category also includes TOR anonymizer addresses.
Botnets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
Cloud-based Services  
Cloud Provider Networks IP addresses and networks that belong to cloud providers, which offer services hosted on their servers via the internet.
Denial-of-Service IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond quickly enough and become bogged down or unable to service legitimate clients.
Illegal Websites IP addresses that contain criminally obscene or potentially criminal internet copyright and intellectual property violations.
Infected Sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.
Mobile Threats IP addresses of malicious and unwanted mobile applications.
Phishing Proxies IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.
Scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.
Spam Sources IP addresses that are known to distribute large amounts of spam email by tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.
Tor Proxies IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.
Web Attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
Windows Exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.

Attack Types

Attack types the rules or patterns that identify attacks or classes of attacks on a web application and its components. Essential App Protect compares patterns in the attack signatures against the contents of requests and responses looking for potential attacks. Some of the signatures are designed to protect specific operating systems, web servers, databases, frameworks or applications.

Attack Type Description
Abuse of Functionality Uses a web site’s own features and functionality to consume, defraud, or circumvent the application’s access control mechanisms.
Authentication/Authorization Attacks Targets a web site’s method of validating the identity of a user, service or application. Authorization attacks target a web site’s method of determining if a user, service, or application has the necessary permissions to perform a requested action.
Buffer Overflow Alters the flow on an application by overwriting parts of memory. An attacker could trigger a buffer overflow by sending a large amount of unexpected data to a vulnerable component of the web server.
Command Execution Occurs when an attacker manipulates the data in a user-input field, by submitting commands that could alter the web page content or web application by running a shell command on a remote server to reveal sensitive data-for example, a list of users on a server.
Cross-site Scripting (XSS) Forces a web site to echo attacker-supplied executable code, which loads in a user’s browser.
Denial of Service Overwhelms system resources to prevent a web site from serving normal user activity.
Detection Evasion Attempts to disguise or hide an attack to avoid detection by an attack signature.
Directory Indexing Involves a web server function that lists all of the files within a requested directory if the normal base file is not present.
HTTP Response Splitting Pertains to an attempt to deliver a malicious response payload to an application user.
Information Leakage Occurs when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
LDAP Injection Concerns an attempt to exploit web sites that construct LDAP statements from user-supplied input.
Non-browser Client Relates to an attempt by automated client access to obtain sensitive information. HTML comments, error messages, source code, or accessible files may contain sensitive information.
Other Application Attacks Represents attacks that do not fit into the more explicit attack classifications, including email injection, HTTP header injection, attempts to access local files, potential worm attacks, CDATA injection, and session fixation.
Path Traversal Forces access to files, directories, and commands that potentially reside outside the web document root directory.
Predictable Resource Location Attempts to uncover hidden web site content and functionality.
Remote File Include Occurs as a result of unclassified application attacks such as when applications use parameters to pass URLs between pages.
Server Side Code Injection Attempts to exploit the server and allow an attacker to send code to a web application, which the web server runs locally.
SQL-Injection Attempts to exploit web sites that construct SQL statements from user-supplied input.
Trojan/Backdoor/Spyware Tries to circumvent a web server’s or web application’s built-in security by masking the attack within a legitimate communication. For example, an attacker may include an attack in an email or Microsoft Word document, and when a user opens the email or document, the attack starts.
Vulnerability Scan Uses an automated security program to probe a web application for software vulnerabilities.
XPath Injection Occurs when an attempt is made to inject XPath queries into the vulnerable web application.