Overview

  • APM 11.3 and beyond offers iFrame Clickjacking protections via the apm.xframeoptions db key
    • Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to clock on the top level page. Thus, the attacker is “hijacking” clicks meant for their webpage and routing them to another page, most likely owned by another application, domain or both.
    • https://www.owasp.org/index.php/Clickjacking
    • Protection for custom login webpages created within APM that include X-Frame-Options HTTP header is available without the need to offload such protection to the WAF
    • https://support.f5.com/csp/article/K16642

 

Command line tools

  • Locating a user’s session ID from the BIG-IP command line
    • sessiondump -allkeys | grep -a last.username
  • Locating session ID no longer active
    • grep -i jsmith /var/log/apm

Logs location

  • Access policy events messages location  (var/log/apm)
  • Audit events messages location (/var/log/audit)
    • Who changed what on the F5 at the configuration level
  • OS-related events location (/var/log/messages)