Scribd
Upload
111 views4 pages

Lab 1.2 - Credential Stuffing

This document describes how to configure BIG-IP to detect credential stuffing attacks. Credential stuffing involves using leaked credentials from one service to attempt access to other services. BIG-IP can detect this by checking login attempts against a database of compromised credentials. The lab steps show how to enable this feature and test it by logging in with stolen credentials, which gets flagged in the event log. Checking the reporting confirms it was detected as a potential credential stuffing attack.

Uploaded by

Henry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
111 views4 pages

Lab 1.2 - Credential Stuffing

This document describes how to configure BIG-IP to detect credential stuffing attacks. Credential stuffing involves using leaked credentials from one service to attempt access to other services. BIG-IP can detect this by checking login attempts against a database of compromised credentials. The lab steps show how to enable this feature and test it by logging in with stolen credentials, which gets flagged in the event log. Checking the reporting confirms it was detected as a potential credential stuffing attack.

Uploaded by

Henry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

19/12/22, 10:11 Lab 1.

2: Credential Stuffing

F5 Web Application Firewall Solutions (../../../index.html) > WAF 341 – Advanced Protection and Positive Security (Self Guided) (../../waf341.html) > Module 1: Bruteforce Protection,
Credential Stuffing (../module1.html) Source (../../../_sources/waf341/module1/lab2/lab2.rst.txt) | Edit on  (https://github.com/f5devcentral/f5-agility-labs-waf)

Lab 1.2: Credential Stuffing¶

Credential stuffing is a type of brute force attack that leverages stolen credentials from another source. This source is most commonly the
breach of a widely used online service. These leaked credentials are then levered in an attempt to compromise higher value targets in
instances where users used the same credentials across multiple services. BIG-IP now has the capability to detect these types of attacks by
employing a database of credentials that are known to have been compromised in a previous breach. The credentials are stored as one-way
hashed usernames and passwords to protect them from further disclosure. In a production environment, Client Side Integrity Defense (or
both), may be a more effective form of mitigation during an actual attack. Feel free to experiment with this in the lab.

Task 1 - Configure Credential Stuffing Detection¶

1. Open the BIG-IP GUI interface.

2. Navigate to Security -> Application Security -> Brute Force Attack Prevention.

3. Click on the /rest/user/login configuration created earlier.

4. Configure Credential Stuffing detection within the Distributed Brute Force Protection Section as follows:

(../../../_images/dist_brute_force_protection.PNG)

https://clouddocs.f5.com/training/community/waf/html/waf341/module1/lab2/lab2.html 1/4
19/12/22, 10:11 Lab 1.2: Credential Stuffing

5. Click Save.

6. Click Apply Policy.

Task 2 - Test Credential Stuffing Detection¶

1. Open a new Private Browsing window in Chrome or Firefox.

2. Go to the to Juice Shop login page at https://juiceshop.f5agility.com/#/login

3. Attempt to login using the username demo33@fidnet.com and password mountainman01

4. Examine the most recent requests in the event log by navigating to Security -> Event Logs -> Applications -> Requests

(../../../_images/brute_force_events.PNG)

 Note

Take note of the username field. The request was matched as a potential credential stuffing attack.

https://clouddocs.f5.com/training/community/waf/html/waf341/module1/lab2/lab2.html 2/4
19/12/22, 10:11 Lab 1.2: Credential Stuffing

5. Near the Brute force: Maximum Login Attempts are exceeded header at the top of the event window click on the number under
Occurrences:

 Note

The message indicates the number of login attempts that matched the internal database.

6. Now check out the reporting under Event Logs -> Application -> Brute Force Attacks:

(../../../_images/brute_force_enent_log.PNG)

7. Click on one of the attack entries to get some more detail about the attack:

8. For fun, head over to https://haveibeenpwned.com/ and put in the email address of the account we used in the lab to get some details. It
may also be interesting to put in your own account(s) to see if any of your credentials have been breached. You could also try some of your
old username/password combinations against the credential stuffing database on the F5. While on the main page explore some of the
breach data on the bottom to get a sense of how big this problem is.

9. In order to release any blocking that’s currently in place, navigate to Security -> Application Security -> Brute Force Attack Prevention and
Delete the Brute Force configuration we created previously.

10. Click Apply Policy.

https://clouddocs.f5.com/training/community/waf/html/waf341/module1/lab2/lab2.html 3/4
19/12/22, 10:11 Lab 1.2: Credential Stuffing

11. Navigate to Local Traffic > Virtual Servers > Virtual Server List > owasp_juice_shop_443_vs > Security > Policies and ensure that the
juice_shop_waf policy and the Log All requests log profile are enabled on the owasp_juice_shop_443_vs virtual server as shown below
removing the Bot Profile.

(../../../_images/vs_config.PNG)

This concludes Lab 1.2

https://clouddocs.f5.com/training/community/waf/html/waf341/module1/lab2/lab2.html 4/4

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy