Secure a GraphQL Application With F5 AWAF

Bookmark

4 Launches

Solution Overview

The lab has 3 stages:

Deploy a WAF policy without GraphQL content profile and review the ZAP report.
Update the WAF policy with a GraphQL content profile allowing introspection and review the impact of this change by examining the ZAP report and learning suggestions.
Make a change to the declarative policy, such as disabling the introspection and review the impact of this change by examining the ZAP report.

Goals & Objectives

The purpose of this lab is to demo the impact of applying a GraphQL profile (available from v16.1) to a WAF policy, securing a vulnerable GraphQL application that is probed by a DAST tool (ZAP). The deployment of the vulnerable application (DVGA), the declarative WAF policy and the execution of DAST session is being controlled by a CI/CD pipeline, simulating a modern development environment. The pipeline will use Terraform to deploy DVGA in a Kubernetes environment, will deploy the WAF policy via AS3, will kick-off the ZAP session and finally will collect the learning suggestions.

Hardware & Software

1 x Windows Jump host (Win Server 2012 R2) with vscode installed
1 x BIG-IP v 16.1.0
1 x GitLab CE server (Ubuntu 18.04)
1 x CICD and Docker(NGINX API gw, Dev Portal) (Ubuntu 18.04)
3 x Kubernetes cluster Nodes (Ubuntu 18.04) VM's
1 x Vyos Router (Ubuntu 18.04)

This browser is no longer supported.

Secure a GraphQL Application With F5 AWAF

Goals & Objectives

Hardware & Software

Contributors

Shawn Barry

WWT