death of web app firewall
TRANSCRIPT
![Page 2: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/2.jpg)
Agenda
• Brief primer on traditional WAF approach • Why this approach will (and should) die • How WAF can stay relevant in your AppSec practice • Why a new approach is valuable
![Page 3: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/3.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 4: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/4.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\n Host: foo.com\r\n\r\n Connection: keep-alive\r\n\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\ Referer: http://172.29.44.44/search.php?q=data\r\n\r\n Accept-Encoding: gzip,deflate,sdch\r\n\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n
![Page 5: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/5.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 6: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/6.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 7: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/7.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 8: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/8.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 9: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/9.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 10: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/10.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 11: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/11.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 12: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/12.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 13: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/13.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 14: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/14.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 15: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/15.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 16: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/16.jpg)
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 17: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/17.jpg)
That sounds really good, but…
![Page 18: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/18.jpg)
Who Owns the WAF?
Network Team App Dev Team Security Team
![Page 19: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/19.jpg)
NOT IT!
![Page 20: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/20.jpg)
My kingdom for a WAF admin!
WAF Administrator
![Page 21: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/21.jpg)
With Great Power…
• Each web application is a snowflake! • Application deploys can be too frequent for
WAF policy tweaks to keep up. • In DevOps environments, continuous
delivery enables rapid vuln fixes in code.
WAF Administrator
![Page 22: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/22.jpg)
What’s left for WAF?
![Page 23: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/23.jpg)
What’s left for WAF?
• Focus on non-snowflake problems • Extend and enrich web applications where possible • Behavioral analysis
![Page 24: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/24.jpg)
• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie • Requests with valid signed cookie are then
passed through to the server • Invalidated requests are dropped or
terminated • Cookie expiration and client IP address are
enforced – no replay attacks • Prevented attacks will be reported and
logged w/o detected attack
1st time request to web server
WAF-based Bot Detection
Internet
Web Application
Legitimate browser verification
No challenge response from
bots BOTS ARE DROPPED
WAF responds with injected JS challenge. Request is not passed to server
1
JS challenge placed in browser
2
- WAF verifies response authenticity
- Cookie is signed, time stamped and finger printed
4
Valid requests are passed to the
server
5
Browser responds to challenge &
resends request
3
Continuous invalid bot attempts are
blocked
Valid browser requests bypass challenge w/
future requests
![Page 25: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/25.jpg)
Protocol Compliance Checks
• HTTP Protocol compliance, of course. – Mitigates attacks like SlowLoris, and other timing attacks.
• But also, TLS protocol and cipher enforcement – Centralized control of allowed ciphers and protocols – Protection from vulnerabilities like Heartbleed, FREAK
• TCP handshake enforcement – Full proxy WAF should be able to detect idle TCP sessions,
reducing load on web app servers
![Page 26: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/26.jpg)
Behavioral Analysis & Fingerprinting
• Detect GET flood attacks against Heavy URI’s • Identify non-human surfing patterns • Fingerprinting to identify beyond IP address
– Track fingerprinted sessions – Assign risk scores to sessions – Identify known malicious browser extensions
• http://PanOpticlick.eff.org for a primer on the topic
![Page 27: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/27.jpg)
What’s a Heavy URI?
• Any URI inducing greater server load upon request • Requests that take a long time to complete • Requests that yield large response sizes
![Page 28: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/28.jpg)
© F5 Networks, Inc 28 CONFIDENTIAL
• Attackers are proficient at network reconnaissance – They obtain a list of site URIs – Sort by time-to-complete (CPU cost) – Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate – Though they are often known by the
security community – Can be executed with a simple wget
script, or OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks
![Page 29: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/29.jpg)
Exploiting POST for Fun & DoS • Determine:
– URL’s accepting POST – Max size for POST
• Bypass CDN protections (POST isn’t cache-able) • Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application infrastructure
Network Reconnaissance Example
![Page 30: Death of Web App Firewall](https://reader034.vdocuments.mx/reader034/viewer/2022052700/55c9535fbb61eb08178b4668/html5/thumbnails/30.jpg)
THANK YOU!
Contact me: @bamchenry [email protected]
Reference: http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/