death of waf - gosec '15
TRANSCRIPT
![Page 1: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/1.jpg)
The Death of Web App Firewall
Brian A. McHenrySr. Security Solutions Architect, F5
@bamchenry
( as we know it )
![Page 2: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/2.jpg)
Agenda
• Brief primer on traditional WAF approach• Why this approach will (and should) die• How WAF can stay relevant and enhance your AppSec
practice• Why a new approach is valuable
![Page 3: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/3.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 4: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/4.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\nHost: foo.com\r\n\r\nConnection: keep-alive\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\Referer: http://172.29.44.44/search.php?q=data\r\n\r\nAccept-Encoding: gzip,deflate,sdch\r\n\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n
![Page 5: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/5.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 6: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/6.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 7: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/7.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 8: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/8.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 9: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/9.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 10: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/10.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 11: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/11.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 12: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/12.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 13: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/13.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 14: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/14.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 15: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/15.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 16: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/16.jpg)
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
![Page 17: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/17.jpg)
That sounds really good, but…
![Page 18: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/18.jpg)
Who Owns the WAF?
Network Team App Dev TeamSecurity Team
![Page 19: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/19.jpg)
Not Us!
![Page 20: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/20.jpg)
My kingdom for a WAF admin!
WAF Administrator
![Page 21: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/21.jpg)
With Great Power…
• Each web application is a snowflake!• Application deploys can be too frequent for WAF
policy tweaks to keep up.• In DevOps environments, continuous delivery
enables rapid vuln fixes in code.
WAF Administrator
![Page 22: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/22.jpg)
What’s left for WAF?
![Page 23: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/23.jpg)
What’s left for WAF?
• Focus on non-snowflake problems• Extend and enrich web applications where possible• Behavioral analysis
![Page 24: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/24.jpg)
WAF-based Bot Detection
• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie • Requests with valid signed cookie are then
passed through to the server • Invalidated requests are dropped or terminated • Cookie expiration and client IP address are
enforced – no replay attacks• Prevented attacks will be reported and logged
w/o detected attack
1st time request to web server
Internet
Web Application
Legitimate browser verification
No challenge response from
botsBOTS ARE DROPPED
WAF responds with injected JS challenge. Request is not passed to server
1
JS challenge placed in browser
2
WAF verifies response authenticity
Cookie is signed, time stamped and finger printed
4Valid requests are passed to
the server
5
Browser responds to challenge &
resends request
3
Continuous invalid bot attempts are
blocked
Valid browser requests bypass
challenge w/ future requests
![Page 25: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/25.jpg)
Headers!
• HTTP Headers can force browser to take more secure actions• Application agnostic• Examples:
• HTTP Strict Transport Security• HTTP Public Key Pinning• Content Security Policy• X-Frame-Options
OR
![Page 26: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/26.jpg)
Protocol Compliance Checks• HTTP Protocol compliance, of course.
• Mitigates attacks like SlowLoris, and other timing attacks.• But also, TLS protocol and cipher enforcement
• Centralized control of allowed ciphers and protocols• Protection from vulnerabilities like Heartbleed, FREAK, LogJam, Poodle
• TCP handshake enforcement• Full proxy WAF should be able to detect idle TCP sessions, reducing load on web
app servers
![Page 27: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/27.jpg)
Behavioral Analysis & Fingerprinting• Detect GET flood attacks against Heavy URI’s• Identify non-human surfing patterns• Fingerprinting to identify beyond IP address
• Track fingerprinted sessions• Assign risk scores to sessions • Identify known malicious browser extensions
• https://PanOpticlick.eff.org for a primer on the topic
![Page 28: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/28.jpg)
Fingerprinting Example
![Page 29: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/29.jpg)
What’s a Heavy URI?• Any URI inducing greater server load upon request• Requests that take a long time to complete• Requests that yield large response sizes
index/
![Page 30: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/30.jpg)
© F5 Networks, Inc 30CONFIDENTIAL
• Attackers are proficient at network reconnaissance• They obtain a list of site URIs• Sort by time-to-complete (CPU cost)• Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate• Though they are often known by the security
community• Can be executed with a simple wget script,
or OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks
![Page 31: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/31.jpg)
Exploiting POST for Fun & DoS
•Determine:
• URL’s accepting POST
• Max size for POST
•Bypass CDN protections (POST isn’t cache-able)
•Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application
infrastructure
Network Reconnaissance Example
![Page 32: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/32.jpg)
© F5 Networks, Inc 32CONFIDENTIAL
• Drag through existing relevant WAF features• Understand your risk factors and have the proper tools• WAF placement can enhance other aspects of the App
Long Live the Web App Firewall
![Page 33: Death of WAF - GoSec '15](https://reader035.vdocuments.net/reader035/viewer/2022062522/58cf0fac1a28ab5f2b8b62db/html5/thumbnails/33.jpg)
Thank YOU!
Contact me:@[email protected]
http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/