?

Secure a GraphQL Application With F5 AWAF

Bookmark
4 Launches
Solution Overview

The lab has 3 stages:

  1. Deploy a WAF policy without GraphQL content profile and review the ZAP report.
  2. Update the WAF policy with a GraphQL content profile allowing introspection and review the impact of this change by examining the ZAP report and learning suggestions.
  3. Make a change to the declarative policy, such as disabling the introspection and review the impact of this change by examining the ZAP report.

Goals & Objectives

The purpose of this lab is to demo the impact of applying a GraphQL profile (available from v16.1) to a WAF policy, securing a vulnerable GraphQL application that is probed by a DAST tool (ZAP). The deployment of the vulnerable application (DVGA), the declarative WAF policy and the execution of DAST session is being controlled by a CI/CD pipeline, simulating a modern development environment. The pipeline will use Terraform to deploy DVGA in a Kubernetes environment, will deploy the WAF policy via AS3, will kick-off the ZAP session and finally will collect the learning suggestions.

Hardware & Software

  • 1 x Windows Jump host (Win Server 2012 R2) with vscode installed
  • 1 x BIG-IP v 16.1.0
  • 1 x GitLab CE server (Ubuntu 18.04)
  • 1 x CICD and Docker(NGINX API gw, Dev Portal) (Ubuntu 18.04)
  • 3 x Kubernetes cluster Nodes (Ubuntu 18.04) VM's
  • 1 x Vyos Router (Ubuntu 18.04)

Contributors