Solutions Home > Solutions

App Security→Web App & API Protection

How well you protect web applications and APIs can determine whether you’re a proven, reputable online presence or an unreliable, untrusted one. F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.



Insecure Deserialization

Injection occurs when input provided by external sources contains hidden application commands from an attacker. When a web application isn’t properly filtering the input, it allows injected commands to be passed through to either the local system or a dependent one. A common example is SQL injection, as many applications rely on user input to build SQL statements to fetch information or to log them in. Object serialization converts an object into a data format; deserialization reads this structured data and builds an object from it. Many programming languages offer native serialization or allow customization of the serialization process, which bad actors can use maliciously. Insecure deserialization has led to remote code execution, denial-of-service, repla, injection, and privilege escalation attacks.

Cross-Site Scripting (XSS)

Session Hijacking

Cross-site scripting (XSS) allows attackers to run their own malicious scripts in a victim’s browser, within the trusted context of a site they’re visiting. XSS can be used to steal session tokens, initiate hidden transactions, or display falsified or misleading content. More sophisticated XSS scripts can even load key loggers that relay victims’ passwords to command-and-control servers operated by the attackers. In the context of HTTP applications, session hijacking usually involves the theft of session cookies used to authenticate and subsequently authorize HTTP requests initiated by a known user. With the stolen session cookie, an attacker is then able to effectively impersonate their victim to initiate fraudulent transactions.

Man-in-the-Middle (MitM)

Resource Hoarding (Scalping)

An attacker gains full access to both sides of a conversation or connection between two parties, allowing them to eavesdrop on sensitive data, tamper with data in transit, or even inject false data or commands that will be interpreted as genuine, authenticated, or otherwise trustworthy. Scalpers use bots and other automation to purchase high-demand items, like concert tickets or limited-edition products, at a faster rate than humans are capable of. These products are resold to actual consumers at a significant markup. Over time, consumers no longer trust you to be a reliable source for in-demand products and services.

Sensitive Data Disclosure


Inadvertent exposure of sensitive information is low-hanging fruit for automated scanners and ripe for exploitation. Common examples include error messages detailing how unexpected input is handled, physical locations of files on servers, specific versions of components and libraries, and stack traces from failed functions. Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.



Enable App-to-App Authorization

As businesses build and release more apps, the number of APIs—which enable apps to communicate automatically with one another—has risen exponentially. In this fast-paced environment, DevOps teams need to rapidly create and manage application services without worrying about cross-app vulnerabilities. The challenge with more and more APIs is that they become additional targets for threats. To mitigate threats at the API level, it is essential to have secure authorization between apps based on standardized and open methods across web, mobile and desktop environments.