Web Application Firewalls: Why We Can't Live Without Them (week 1)

Welcome to Week 1 of my new series, Hack & Tell—a journey sparked by the common questions I encounter during my pentesting engagements. In this first week I will be diving into the world of Web Application Firewalls (WAFs), we’ll explore why they are crucial for protecting web applications and provide some background before delving into the common methods by which they can be bypassed.

So, I’ve started with Web Application Firewalls (WAFs) because as even as diverse as our testing engagements can be, web apps still likely make up half of the testing we do. So, when my clients ask me, "What's most crucial for securing my app?" my immediate response is always: Secure your code base! But that's just one layer of the security onion. This then leads to further questions… how quickly can you update your application as new exploits surface? Do you have direct control over your source code to deploy security updates promptly? In many cases, the answer is no or not fast enough.

We can all wish for a world where a securely developed app could safely exist without threats, but the reality often tells a different story. So yes... lets keep building secure web apps but in the meantime the importance of Web Application Firewalls (WAFs) is growing more than ever as our first line of defence.

As a spoiler, but at a high level WAF bypasses typically occur due to one or a combination of the following reasons:

1. Misconfiguration of the WAF: This includes incorrect or overly permissive rule sets that fail to properly identify and block malicious traffic.
2. Inherent Vulnerabilities within the Application: Even the best-configured WAF can be circumvented if the underlying application has security flaws, such as unsanitised inputs that are susceptible to injection attacks.
3. Advanced Evasion Techniques: Attackers often employ sophisticated methods to evade detection, including using encryption, crafting polymorphic attack vectors, or leveraging the application’s specific logic to bypass filters.
4. Limitations of WAF Capabilities: Some WAFs may not fully support the depth of inspection needed for complex, nested queries or heavily obfuscated attacks, leading to oversights in threat detection.

The Role and Importance of WAFs

Web Application Firewalls serve as a critical line of defence for web applications. They are deployed to monitor, and when necessary, block internet traffic to and from a web application to protect against malicious attempts to exploit vulnerabilities. Common threats that WAFs guard against include SQL injection, Cross-Site Scripting (XSS), and file inclusion—each capable of causing significant damage.

WAFs provide a barrier against these attacks by analysing incoming traffic and applying rules to block harmful requests. The importance of WAFs cannot be overstated, especially as the frequency and sophistication of web application attacks continue to rise.

Real-World Observations and the Necessity of Effective WAFs

Real-world data and recent cyber incidents underscore the crucial need for effective WAFs. Below are some recent statistics I’ve come across that echo my experiences:

1. SQL Injection and Retail Breaches: Numerous retail companies have suffered data breaches resulting from SQL injection attacks, where hackers exploit web application vulnerabilities to steal customer data, including credit card information. For instance, in 2019, British Airways faced a significant breach where attackers compromised the personal and payment information of roughly 500,000 customers by injecting malicious code into its website.
2. XSS Attacks on Social Media Platforms: Platforms like Twitter and Facebook have historically been targeted by XSS attacks, where malicious scripts are injected into web pages viewed by other users. An effective WAF can detect and neutralise these scripts before they execute.
3. File Inclusion Vulnerabilities in Government Websites: Government websites, due to their high-profile nature and the sensitive information they hold, have been targets for file inclusion attacks, aiming to compromise the server to gain access to restricted data.

Why Getting Your WAF Right Really Matters

The consequences of not deploying an effective WAF are starkly illustrated by the 2017 Equifax breach. Hackers exploited a vulnerability in the Apache Struts web framework—an attack vector that a properly configured WAF could have mitigated against. This oversight led to the exposure of sensitive personal information of approximately 147 million people, emphasizing not just the financial but also the reputational damage that such breaches entail.

Moreover, in 2020, a major software provider faced a significant breach due to a failure to update its WAF configurations, allowing attackers to exploit known vulnerabilities that should have been shielded by the WAF. This incident further highlights the necessity of not only having a WAF in place but also ensuring it is well-configured and updated in line with emerging threats and vulnerabilities.

How WAFs Work

Basic Functionality

WAFs operate by intercepting and analysing every HTTP request before it reaches the web application. They employ a set of rules, known as policies, which define what kinds of behaviour are considered safe. These rules can block known attack vectors and filter out behaviour patterns that suggest malicious intent.

Deployment Models

Web Application Firewalls (WAFs) can be deployed in several ways, each tailored to meet specific network and security needs. A lesson learned from a previous project, where we rolled out a new EDR solution requiring cloud-synced endpoint agents, highlights this point. We initially faced some challenges due to the WAF being configured in a Sideband deployment. Although it was set to allow traffic, we experienced unexpected blocks that led to several sleepless nights troubleshooting the issue. Understanding the nuances of each deployment model can help prevent such scenarios:

• Inline Deployment: In this setup, WAFs are integrated directly into the traffic flow, inspecting and filtering traffic before it reaches the server. This arrangement allows for real-time threat detection and prevention but requires robust hardware to handle the load without becoming a bottleneck.
• Sideband Deployment: WAFs in a sideband configuration analyse copies of the traffic instead of the live traffic itself. This method can minimize the impact on network performance by reducing the risk of the WAF becoming a bottleneck, although it can possibly lead to delays in threat detection.
• Cloud-Based WAFs: For organisations that prefer not to invest in and manage physical infrastructure, cloud-based WAFs offer a flexible and scalable solution. These systems are maintained by the cloud provider, allowing businesses to scale protection as needed without the overhead of hardware maintenance. However, this model relies on the provider's ability to manage and scale the service effectively, which can introduce dependencies on external operations.

Key Components

• Rule Sets: These are extensive libraries of patterns and signatures used to detect and mitigate threats.
• Anomaly Detection: Using machine learning and statistical analysis, WAFs can identify unusual patterns that may indicate a new or evolving threat.
• Traffic Inspection: This involves deep inspection of both inbound and outbound data for threats like data exfiltration.

The Real-World Application of WAFs

Deploying a WAF is not just a technical decision but a strategic one. It involves aligning the organisation's risk appetite with budget considerations. For many, the challenge lies in justifying the initial investment and ongoing operational costs against the potential financial impact of web application attacks.

What challenges have you faced in deploying a WAF? Technical or non technical… Did the new WAF break everyone’s internet? Have budget constraints influenced your approach to meeting your organisation’s risk appetite?

Comment and share your experiences or insights below. Rolling out a shiny new security tool isn’t always a smooth process as we have discovered numerous times. Proper tuning and set up is crucial for a WAF to be effective and embraced by the business!

Stay Tuned for Next Week

Exploring Common WAF Vulnerabilities and Configuration Flaws

Often the best tool in the shed provides no value if it's set up to fail! Next week, we'll dive into the common vulnerabilities and configuration flaws that can undermine the effectiveness of WAFs. Understanding these pitfalls is crucial for maximizing the security benefits of your WAF deployment. Read more here.