6.3.5. Update Parent WAF Policy

Task 1 - Simulate attacks to demonstrate newly discovered vulnerability.

  1. Open browser and go to https://<Elastic IP>/account/documents?page=delivery.html;%20cat%20/etc/passwd

  2. Enter credentials to login successfully.

    ../../_images/image350.png

    Note

    This is a common OS command injection attack. Upon successful login it displayed the desired page along with the results for cat /etc/passwd.

Task 2 - Modify the parent waf policy to mitigate the command injection vulnerability

  1. Open the Security -> Application Security -> Security Policies -> Policies List page

  2. Select waf_base then click waf_base to view properties

    ../../_images/image351.png ../../_images/image352.png

  3. Click on Attack Signatures Configuration

  4. On the Attack Signatures section click Change

    ../../_images/image353.png

  5. Click OS Command Injection Signatures check box then click Change

    ../../_images/image354.png

  6. Click Save at the bottom of the properties page

  7. Click Apply Policy to commit changes

    ../../_images/image343.png

Task 6 - Repeat simulated command injection attack

  1. Open browser and go to https://<Elastic IP>/account/documents?page=delivery.html;%20cat%20/etc/passwd

  2. Your request should be rejected.

    Note

    Updates to the Parent policy will be inherited by the Child policies based on the Inheritance configuration. Since waf_base parent policy Attack Signatures was Mandatory all Child policies inherited the changes.