How to Detect and Block a Web Application?

Question

Hi everyone,&nbsp;
I need your experience to help me to solve this issue.&nbsp;
I'm looking for a way to detect and block any requests generated from a web application, but allows all traffics from from web browser. Unfortunately User-Agent is not helpful in my case.&nbsp;
Is F5 LTM or ASM capable to do such thing?&nbsp;
Thank you.&nbsp;

daboochmeister · Answer

It very much depends on what flexibility you have to separate the web app calls from standard user/browser calls, and how strictly the block must be enforced (that is, how important it is that the block be foolproof, unspoofable).&nbsp;
Direct approaches that come to mind include:&nbsp;
Require authentication, and don't issue credentials to the web appBlock the web app (or whitelist legitimate users) based on source IPMaintain a client activity profile, and block if certain access patterns are present (IDS/IPS style)
The F5 can implement or play a role in each of these approaches, but there are tradeoffs with each (how much effort, how secure, how unspoofable). But rather than describe how to do each, if you describe your requirements and environment better, that'll probably make it clear which is the best approach (and there are probably others that might make sense once your situation is clear).&nbsp;

mohammed22_2207 · Answer

Sorry, I missed one importation point. I'm talking specifically about mobile web application. Browsing the website from mobile done by either by mobile application or regular web browser.&nbsp;
What I'm looking for is how to differentiate between these two agents. User-Agent header is not practical solution for my case. Is there any other way to do it? Is it possible for F5 ASM to discover if it is handling with mobile web application or a browser using some Technics?&nbsp;
Thank you.&nbsp;

erik_novak · Answer

ASM can distinguish between requests from standard browsers and requests from bots or "headless" browsers which may have untrustworthy user agent strings. Depending on your version of ASM, a DoS profile can be created to challenge requests from suspected clients or suspicious IPs.&nbsp;
In v12, DoS profiles are sophisticated, and reflect some new, multi-dimensional behavioral analysis techniques for identifying legitimate requests. You have the capability to apply block and alarm actions on different categories of bots. There are very specific controls for allowing known bots or other agents. If you have an earlier version of ASM, Proactive Bot Defense can be configured to detect suspicious agents based on different variables. In your case, it sounds like you could create a DoS Profile which would indicate when a request was not from an allowed browser.&nbsp;

daboochmeister · Answer

is your goal solely to tell if users are accessing via a mobile browser vs. via your app?  Because if so, your most straightforward option may be to adjust the mobile app code to insert a cookie into the session, and use an iRule or LTM policy to check for that cookie in the session.  How important is it that your results be 100% correct?  If so, that cookie approach can be "hardened" to be very difficult to spoof by maintaining e.g. a table of valid cookies (and making the cookie value hard to predict/replicate).

The ASM approaches mentioned can be quite sophisticated, but from my understanding aren't 100%.  That may be fine for your situation .

Forum Discussion

How to Detect and Block a Web Application?

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Application Programming Interface (API) Authentication types simplified

Block traffic

domain blocking

Enhanced Modern Applications and MicroServices SSO with NGINX