Leaked Credential Check with Advanced WAF


In this article you will learn how to configure and use Leaked Credential Check (LCC). LCC provides access to a database of compromised credentials, which can be used to detect and prevent a Credential Stuffing Attack.  LCC is a subscription-based service which can be added to BIG-IP Advanced WAF.


Leaked Credential Check stops leaked or stolen credentials from being used to access personal or business applications. It automatically detects and mitigates compromised credential use. If compromised credentials are detected during an attempted login, Leaked Credential Check enables several mitigation options for SecOps teams to enact, individually or collectively, including:

  • Requiring the user to employ multi-factor authentication (MFA) before granting access.
  • Redirecting the user to another application page; for example, a customer support web page.
  • Responding to the suspicious login with a preset page requesting further action by the user, such as contacting customer support.
  • Blocking the user and their login from accessing the application.
  • Sending an alert to the SecOps team to take additional action

This article assumes you have Advanced WAF configured and deployed for one or more Virtual Servers and you have purchased the add-on subscription for LCC. 

Typical Steps Involved in a Credential Stuffing Attack

High Level Network Topology

Configuration Steps

From the BIG-IP Configuration Utility select Security > Application Security > Security Policies > Policies List.

Notice the Policy name in this example is Leaked-Credential-Check. There are 2 Virtual Servers attached to this policy, vs_arcadia.emea.f5se.com_II and vs_Hackazon_IV.

LCC is configured from Security > Cloud Services > Cloud Security Services Applications.

Click the name of the Cloud Security Application, f5-credential-stuffing-cloud-app in this example.

Note: if the application has not been created yet click the Create button on the right.

Give it a name if creating a new app. Set the Service Type to Blackfish Credential Stuffing Service. Enter your API Key ID and Secret. Specify the Endpoint, f5-credential-stuffing-blackfishin this example.

Click Save when done

LCC is enabled in Security > Application Security > Brute Force Attack Prevention.

Check the box to Enable Detection

Under Action you can choose different mitigation Actions.

Alarm: report the Leaked Credentials Detection violation in the Event Log

Alarm and Blocking Page: report the Leaked Credentials Detection violation in Event Log and send the Blocking Response Page

Alarm and Honeypot Page: report the Leaked Credentials Detection violation in Event Log and send the Honeypot Response Page

Alarm and Leaked Credentials Page: report the Leaked Credentials Detection violation in Event Log and send the Leaked Credentials Page

Select Learning and Blocking Settings to configure them.

For Sessions and Logins set Leaked Credentials Detection to Alarm and Block.

The Honeypot Page and Leaked Credentials Page can be configured from Security > Application Security > Security Policies > Policies List

Select the Leaked-Credential-Check Policy

Select Response and Blocking Pages on the left.

Scroll down and the Failed Login Honeypot response and Leaked Credentials response can be configured here.

Test Leak Credentials Detection

Attempt to login to your web application using known leaked credentials. In this example we’ll use “HACKAZON”. Click the Sign In link near the top on the right.

Attempt to login using the following:

Username: demo33@fidnet.com
Password: mountainman01

The login should fail.

Try to login with the following credentials:

Username: admin
Password: 12345678

Check the BIG-IP Event Log

From the Configuration Utility go to Security > Event Logs > Application > Requests.

There are two requests at the top that look important.

Select the first one. Here we can see details about the request. As suspected, the violation was due to the Leaked Credentials Detection policy.

Scroll down under Request and you can see the username and password that triggered the violation.

Now select the second one. As you can see, this violation was triggered by the login attempt with the username “demo33@fidnet.com”.


Congratulations! You have successfully configured and test Leak Credential Checking.

Published Nov 24, 2021
Version 1.0

Was this article helpful?

No CommentsBe the first to comment