Wednesday, September 2, 2015

Web Application Firewall

Preface

This is the first post documenting my studies while working in Ministry of the Interior (Taiwan). Though it's my alternative military service job, I am trying my best to learn from it.

While I was in the warehouse, I found Web Application Firewall (WAF), which is a real device. And, it's my first time to see look into this device, then here's my study on it.

What is WAF?

It's a firewall that applies rules on HTTP conversation (application layer), which is defencing attacks like cross-site scripting (XSS), SQL injection, malicious sources, application layer DoS Attacks, etc.

So, what's the difference between WAF and network layer firewalls (which we use more often)? Network layer firewalls operates at TCP/IP protocol level, which only lookup rules based on IP/port. They don't care about the content in application layer.

Here's an example referring to "Guide to WAF Bypass by SecurityIdiots". The first line is a normal request, and the second is a request with SQL injection. However, the second one is detected by MOD security WAF.
http://bpc.gov.bd/contactus.php?id=4
http://bpc.gov.bd/contactus.php?id=4' UNION SELECT 1,2,3-- -

Detecting WAF

To detect WAF, we can use NMAP like:
nmap -p80 --script http-waf-detect <host> 

Does WAF Work on HTTPS?

Yes or no. Since HTTPS packages are encoded, WAF shouldn't be able to read their contents. However, there are two ways for a WAF to read SSL-protected traffic:
  • The WAF also obtains the private key used by the original SSL server.
  • The WAF runs its own SSL server which is seem and used by the client. And, the WAF would decrypt the traffic first, applies its rules, then forwards it to the original server with SSL-protected.

WAF Vendors / Players

Software (lower cost, but should avoid poor setups)
  • ModSecurity
  • AQTRONIX WebKnight
Hardware (scalability, performance)
  • FortiWeb
  • Barracuda Networks

Reference