Lab 7: Disallowed File Types¶

Connect to the lab environment¶

1. From the jumphost, launch Chrome, click the BIG-IP bookmark and login to TMUI using admin/password.
2. Open a second tab in Chrome for use with the WebGoat App.

Take a look at the WebGoat object¶

1. Browse to http://10.1.10.145/WebGoat/login and login as “f5student”.
2. On the left menu click Vulnerable Components – A9, then click Vulnerable Components.
3. Note the Software Supply Chain .png graphic in the middle of the page.

Edit the Security Policy¶

1. On the BIG-IP TMUI, go to Local traffic > Virtual Servers > asm_vs.
2. Click the Security tab and make sure “Application Security Policy” is set to “ASM241”.
3. Make sure the Log Profile is set to “Log Illegal Requests”. The resulting config should look like the below. Click “Update” if any changes were made.

1. Go to Security > Application Security > File Types > Disallowed File Types. Ensure the “ASM241” policy is the “Current edited security policy”
2. Click the Create button on the right side.
3. Type “png” in the File Type (Explicit only) box and click Create.

4. Click Apply Policy in the top right, then click OK.

Test File Type Protection¶

1. Launch firefox (to avoid any webcaching done by Chrome) and Browse to http://10.1.10.145/WebGoat/login and login as “f5student” or use the bookmark.
2. On the left menu click Vulnerable Components – A9, then click Vulnerable Components.
3. The Software Supply Chain .png graphic does not load, because it is blocked by the ASM Disallowed File Types setting blocking .png files.

4. Go to Security > Event Logs > Application > Requests and examine the logs, you should see an illegal request similar to the below.

5. What other applications are there for this type of policy?