Table of Contents
Web application firewalls (WAF) are one of the first lines of defense when it comes to stopping web application attacks. A WAF protects web applications and websites by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web applications and the internet.
A WAF protects web applications from attacks such as cross-site forgery, server-side request forgery, file inclusion, and SQL injections, and many more.
Here are seven of the most common attacks a WAF is designed to mitigate.
Injection flaws, such as SQL, NoSQL, OS and Lightweight Directory Access Protocol (LDAP) injection, have been a perennial favorite among hackers for some time. An injection flaw occurs when suspicious data is inserted into an application as a command or query. This hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
The most common code injection is SQL injection, which is an attack that is accomplished by sending malformed code to the database server. It’s a simple and quick attack type that almost anyone with internet access can accomplish since SQL injection scripts are available for download and are easily acquirable.
Predictable resource location is an attack technique used to uncover hidden website content and functionality. By making educated guesses via brute forcing, an attacker can guess file and directory names not intended for public viewing. Brute forcing filenames is easy because files/paths often have common naming conventions and reside in standard locations. These can include temporary files, backup files, logs, administrative site sections, configuration files, demo applications, and sample files. These files may disclose sensitive information about the website, web application internals, database information, passwords, machine names, file paths to other sensitive areas, etc.
This will not only assist the attacker with identifying the site surface which may lead to additional site vulnerabilities, but also may disclose valuable information to an attacker about the environment or its users. Predictable resource location is also known as forced browsing, forceful browsing, file enumeration and directory enumeration.
HTTP Flood is a type of distributed denial-of-service attack method used by hackers to attack web servers and applications. HTTP Floods work by directing large amounts of HTTP requests at a webpage to overload target servers with requests.
In an HTTP Flood, the HTTP clients, such as web browsers, interact with an application or server to send HTTP requests. The request can be either “GET” or “POST.” The aim of the attack is to compel the server to allocate as many resources as possible to serving the attack, thus denying legitimate users access to the server's resources. Such requests are often sent en masse by means of a botnet, increasing the attack's overall power.
These DDoS attacks may be one of the most advanced non-vulnerability threats facing web servers today. It is very hard for network security devices to distinguish between legitimate HTTP traffic and malicious HTTP traffic, and if not handled correctly, it could cause a high number of false-positive detections. Rate-based detection engines are also not successful at detecting these types of attacks, as the traffic volume of HTTP Floods may be under detection thresholds. Because of this, it is necessary to use several parameters detection, including rate-based and rate-invariant.
The vast majority of internet traffic nowadays is encrypted. Most HTTP Flood attacks are HTTPS Floods. Not only are encrypted floods more potent because of the high amount of server resources required to handle them, but they also add a layer of complexity to mitigating such attacks since DDoS defenses usually cannot inspect the contents of the HTTPS requests without fully decrypting all traffic.
HTTP Request Smuggling, also known as HTTP Desync Attacks, is an attack technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. It allows the attacker to "smuggle" a request to a web server without the devices between the attacker and the web server being aware of it. HTTP request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, interfere with other user sessions, gain unauthorized access to sensitive data and directly compromise other application users.
A file path traversal attack (also known as directory traversal) is a web security vulnerability that allows an attacker to access files and directories that are stored outside the web root folder. These files might include application code and data, credentials for back-end systems and sensitive operating system files.
Attackers achieve a file path traversal attack by tricking either the web server, or the web application running on the server, into returning files that exist outside of the web root folder.
Server-side request forgery (SSRF) is when an attacker exploits a web security vulnerability to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
In such an attack, the threat actor can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL, which the code running on the server will read or submit data to and enable the attacker to read server configuration such as AWS metadata, connect to internal services like HTTP-enabled databases or perform post requests towards internal services which are not intended to be exposed.
A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution. In some cases, an SSRF exploitation that causes connections to external third-party systems might result in malicious onward attacks that would be perceived as originating from the organization hosting the vulnerable application.
Clickjacking is a type of attack that happens on the client side, and its purpose is to trick the application users into clicking on something different than what they perceive. Hackers execute this type of attack by hiding malware or malicious code in a legitimate-looking control on a website, mainly in JavaScript of third-party services which often are not monitored by the application standard security tools, thus exploiting vulnerabilities in the application supply chain.
It is a malicious technique used by an attacker to record the infected user’s clicks on the internet. This can be used to direct traffic to a specific site or to make a user like or accept a Facebook application. More nefarious purposes might be to collect sensitive information saved on a browser, such as passwords, or to install malicious content.
WAFs leverage various capabilities and mechanisms to protect application from this diverse array of attacks. This can include dynamic security policies with automatic false-positive correction, application-layer 7 DDoS protection, API discovery and protection, bot mitigation, and more.
The majority of WAFs leverage a negative security model, which defines what is disallowed while implicitly allowing everything else. Since attack signatures may generate false positives by detecting legitimate traffic as attack traffic, such rules tend to be simplistic, attempting to detect obvious attacks. The result is protection against the lowest common denominator.
A positive security model, which defines the set of allowed types and values, is required to provide comprehensive protection where signature-based protection cannot fill the gap. In the case of a SQL injection, a positive security model screens user input for known patterns of attacks and leverages logic to tell the difference between legitimate user input and injection flaws. A positive security model is also critical to successfully mitigating the risks associated with SSRF.
Here are six key capabilities to consider when evaluating a WAF that can mitigate these common attacks and vulnerabilities:
-
Complete API discovery and protection that provides visibility, enforcement and mitigation of all forms of API abuse and manipulation for both on-premise and cloud-hosted environments
-
Built-in HTTP DDoS protection to stop application-layer DDoS attacks
-
Integrated bot management to detect and mitigate sophisticated, generation 3 and generation 4 bots that mimic human behavior
-
Data leakage prevention mechanisms to automatically mask sensitive user data, such as Personally Identifiable Information (PII)
-
Combination of a negative and positive security model that uses advanced behavioral-analysis technologies to detect malicious threats
-
Policy refinement engines that can continuously optimize security policies and adapt to changes in the application, traffic and threat landscape