Pākiki Blog

The latest insights, vulnerabilities, research, and release information from the Pākiki team.

Follow us on social media:

What you should know about WAFs

Published on by Karl
Categories: Security
Tags: Advice

Background

Web application firewalls are commonly used to defend web applications (or mobile applications, APIs, etc) against known attacks.

At a basic level, they work by having a large set of rules which defines what bad or malicious requests to the site look like. You would set it up against a website, leave it in reporting-only mode for a period of time to ensure no legitimate traffic will be blocked by it, then enable it to block anything malicious.

There are many WAF providers, including ones built into web servers which you can run on your own infrastructure, ones offered by major infrastructure vendors, along with dedicated cloud providers. However, can you see a problem with them? They’re only as good as their ruleset, and it’s impossible to enumerate every single variation of what malicious traffic will look like, especially without impacting legitimate traffic. Yes, that even includes ones marketed with fancy machine learning or “AI” algorithms. Limitations

We regularly run into a few misconceptions with clients:

How we bypass WAFs

Now for the technical part (feel free to skip this, if you’re not technical). Let’s take a recent example from a web application we were testing. We suspected there was Cross-Site Scripting due to our input being reflected back in the page, but we knew that a WAF was in place, which would make exploitation more challenging.

We started by using trial and error to establish what the WAF did not permit. In this particular case the following were not permitted:

As part of that, we also established that the following were permitted:

From here we were able to establish our key constraints for developing a working payload:

Lastly we establish the tools and tricks that we can use in our payload, in this case: srcdoc - This allows adding HTML to the page via an attribute.

The payload:

<img src="" onerror="xss.srcdoc='<'+'script src=data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==></'+'script>'"><iframe id=xss>

Some items of note:

Where a WAF fits in

A web application firewall is only as good as its ruleset, and we regularly find ways to bypass them. It will likely be forever a cat and mouse game where WAF vendors will implement rules for known exploits, and ethical (and less than ethical) hackers will find ways to bypass those rules. We can find bypasses either using gaps in the product’s coverage, or exploiting new standards which the WAF products haven’t got complete coverage of yet.

Despite these limitations, they can be an excellent and cost effective tool as part of defence in depth. In our experience when carrying out cybersecurity testing with WAFs on (which we don’t recommend), they can significantly slow down and hinder testing speed.

If you have a WAF for an existing application or are implementing one for a new application, Pākiki Security recommends: