skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Web Application Firewalls: Functions and Evasion Techniques

Web Application Firewalls: Functions and Evasion Techniques

/ 3 min read

stories , cybersecurity , web application firewall , waf evasion techniques , malicious traffic detection , web security

Quick take - Web Application Firewalls (WAFs) are crucial cybersecurity tools that protect web applications from various attacks by monitoring and filtering HTTP traffic, but they have limitations and should not be the sole security measure, as attackers continuously develop techniques to bypass them.

Fast Facts

  • Web Application Firewalls (WAFs) protect web applications by monitoring and blocking malicious HTTP traffic, defending against attacks like SQL Injection and Cross-site Scripting (XSS).
  • WAFs are not a complete solution for all cyber threats, as they do not address access control violations or business logic flaws.
  • There are three operational models for WAFs: Negative (blocks known threats), Positive (allows only safe traffic), and Hybrid (combines both strategies).
  • WAFs can be deployed in three ways: Network-based (at the perimeter), Host-based (on individual servers), and Cloud-hosted (managed services).
  • Attackers use various techniques to bypass WAFs, including request header spoofing, payload obfuscation, and exploiting size limitations, highlighting the need for comprehensive security measures beyond WAFs.

Understanding Web Application Firewalls (WAFs)

Web Application Firewalls (WAFs) are essential tools in the cybersecurity landscape, designed to protect web applications by monitoring, filtering, and blocking HTTP traffic. Their primary role is to defend against a range of common web-based attacks, including:

  • Code/Command Execution
  • Cross-site Scripting (XSS)
  • Directory Traversal
  • File Inclusion
  • SQL Injection
  • XML External Entity (XXE) Injection

Limitations of WAFs

However, WAFs are not a comprehensive solution for all types of cyber threats. They are not specifically designed to address access control violations or business logic flaws. WAFs function by differentiating between legitimate and malicious traffic, achieved through various criteria such as:

  • Source IP address
  • Type of request (e.g., GET vs. POST)
  • Content of the request body

Advanced WAFs utilize learning models and Artificial Intelligence (AI) to refine their rules based on user behavior, enhancing their capability to identify and block potential threats.

Operational Models and Types of WAFs

There are three main operational models for WAFs:

  1. Negative Model: Blocks traffic that matches known malicious signatures.
  2. Positive Model: Allows only traffic that meets predefined criteria.
  3. Hybrid Model: Combines both allowlisting and blocklisting strategies.

WAFs can also be categorized into three types based on their deployment:

  • Network-based WAFs: Protect all web applications at the network perimeter but require hardware investment.
  • Host-based WAFs: Installed on individual web servers and protect specific applications.
  • Cloud-hosted WAFs: Offered as a service managed by providers, with varying levels of protection.

Techniques for WAF Detection and Evasion

Detection of WAFs involves several techniques, including:

  • Monitoring common ports such as 80, 443, 8000, 8080, and 8888.
  • Identifying unique cookies or headers set by specific WAFs.
  • Observing HTTP response headers for WAF signatures.
  • Fuzzing to test payloads against a WAF to determine what is being blocked.
  • Reversing regex patterns used by WAFs to identify methods to bypass blocklisted keywords.

Attackers may employ obfuscation and encoding techniques to evade WAF detection, such as:

  • Case toggling
  • URL encoding
  • Unicode normalization
  • Dynamic payload generation

Additionally, request header spoofing is used to mislead WAFs about the origin of a request. Some WAFs have limitations on the size of HTTP requests they inspect, which can be exploited by exceeding these size limits.

Methodologies for discovering WAF bypasses, particularly for Cross-site Scripting (XSS), involve probing HTML tags and JavaScript event handlers. Case studies have shown successful WAF bypasses against solutions like CloudFront, F5 BIG-IP ASM, and Azure Application Gateway, using techniques such as adding junk data to requests to bypass size limits.

Recent advancements in WAF evasion techniques include scripts that generate valid JavaScript code from ASCII symbols. Bug bounty programs have uncovered various WAF evasion techniques and vulnerabilities, highlighting the ongoing challenges in web application security.

The article emphasizes that WAFs should not be solely relied upon for security, and creative approaches to bypassing WAFs are encouraged. Additional resources for further reading on WAF detection and evasion techniques are available for those interested.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks