Secure a GraphQL Application With F5 AWAF
Bookmark
20
Launches
Solution Overview
The lab has 3 stages:
- Deploy a WAF policy without GraphQL content profile and review the ZAP report.
- Update the WAF policy with a GraphQL content profile allowing introspection and review the impact of this change by examining the ZAP report and learning suggestions.
- Make a change to the declarative policy, such as disabling the introspection and review the impact of this change by examining the ZAP report.
Goals & Objectives
The purpose of this lab is to demo the impact of applying a GraphQL profile (available from v16.1) to a WAF policy, securing a vulnerable GraphQL application that is probed by a DAST tool (ZAP). The deployment of the vulnerable application (DVGA), the declarative WAF policy and the execution of DAST session is being controlled by a CI/CD pipeline, simulating a modern development environment. The pipeline will use Terraform to deploy DVGA in a Kubernetes environment, will deploy the WAF policy via AS3, will kick-off the ZAP session and finally will collect the learning suggestions.