Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform


This article is the last part in a series of articles on mitigation of OWASP Web Application vulnerabilities using F5 Distributed Cloud platform (F5 XC). 

Introduction to Insecure Design: 

In an effort to speed up the development cycle, some phases might be reduced in scope which leads to give chance for many vulnerabilities. To focus the risks which are been ignored from design to deployment phases, a new category of “Insecure Design” is added under OWASP Web Application Top 10 2021 list. Insecure Design represents the weaknesses i.e. lack of security controls which are been integrated to the website/application throughout the development cycle. 

If we do not have any security controls to defend the specific attacks, Insecure Design cannot be fixed by any perfect implementation while at the same time a secure design can still have an implementation flaw which leads to vulnerabilities that may be exploited. Hence the attackers will get vast scope to leverage the vulnerabilities created by the insecure design principles.

Here are the multiple scenarios which comes under insecure design vulnerabilities.

  • Credential Leak
  • Authentication Bypass
  • Injection vulnerabilities
  • Scalper bots etc.

In this article we will see how F5 XC platform helps to mitigate the scalper bot scenario.

What is Scalper Bot:

In the e-commerce industry, Scalping is a process which always leads to denial of inventory. Especially, online scalping uses bots nothing but the automated scripts which will check the product availability periodically (in seconds), add the items to the cart and checkout the products in bulk. Hence the genuine users will not get a fair chance to grab the deals or discounts given by the website or company. Alternatively, attackers use these scalper bots to abandon the items added to the cart later, causing losses to the business as well. 


In this demonstration, we are using an open-source application Evershop” which will provide end to end online shopping cart facility. It will also provide an Admin page which helps to add/delete the item from the website whereas from the customer site users can login and checkout the items based on the availability. 

Admin Page:

Customer Page:


Scalper bot with automation script:


The above selenium script will login to the e-commerce application as a customer, checks the product availability and checkout the items by adding the items into the cart.

To mitigate this problem, F5 XC is providing the feasibility of identifying and blocking these bots based on the configuration provided under HTTP load balancer.

Here is the procedure to configure the bot defense with mitigation action ‘block’ in the load balancer and associate the backend application nothing but ‘evershop’ as the origin pool.

  1. Create origin pool
    Refer pool-creation for more info
  2. Create http load balancer (LB) and associate the above origin pool to it.
    Refer LB-creation for more info
  3. Configure bot defense on the load balancer and add the policy with mitigation action as ‘block’. 


  4. Click on “Save and Exit” to save the Load Balancer configuration.
  5. Run the automation script by providing the LB domain details to exploit the items in the application.


  6. Validating the product availability for the genuine user manually.
  7. Monitor the logs through F5 XC, Navigate to WAAP --> Apps & APIs --> Security Dashboard, select your LB and click on ‘Security Event’ tab.The above screenshot gives the detailed info on the blocked attack along with the mitigation action.


As you have seen from the demonstration, F5 Distributed Cloud WAAP (Web Application and API Protection) has detected the scalpers with the bot defense configuration applied on the Load balancer and mitigated the exploits of scalper bots. It also provides the mitigation action of “_allow_”, “_redirect_ along with “_block_”. Please refer link for more info.

Reference links:

  1. OWASP Top 10 - 2021 
  2. Overview of OWASP Web Application Top 10 2021  
  3. F5 Distributed Cloud Services  
  4. F5 Distributed Cloud Platform
  5. Authentication Bypass
  6. Injection vulnerabilities
Updated Jun 22, 2023
Version 3.0

Was this article helpful?

No CommentsBe the first to comment