death of web app firewall
TRANSCRIPT
Agenda
• Brief primer on traditional WAF approach • Why this approach will (and should) die • How WAF can stay relevant in your AppSec practice • Why a new approach is valuable
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\n Host: foo.com\r\n\r\n Connection: keep-alive\r\n\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\ Referer: http://172.29.44.44/search.php?q=data\r\n\r\n Accept-Encoding: gzip,deflate,sdch\r\n\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
That sounds really good, but…
Who Owns the WAF?
Network Team App Dev Team Security Team
NOT IT!
My kingdom for a WAF admin!
WAF Administrator
With Great Power…
• Each web application is a snowflake! • Application deploys can be too frequent for
WAF policy tweaks to keep up. • In DevOps environments, continuous
delivery enables rapid vuln fixes in code.
WAF Administrator
What’s left for WAF?
What’s left for WAF?
• Focus on non-snowflake problems • Extend and enrich web applications where possible • Behavioral analysis
• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie • Requests with valid signed cookie are then
passed through to the server • Invalidated requests are dropped or
terminated • Cookie expiration and client IP address are
enforced – no replay attacks • Prevented attacks will be reported and
logged w/o detected attack
1st time request to web server
WAF-based Bot Detection
Internet
Web Application
Legitimate browser verification
No challenge response from
bots BOTS ARE DROPPED
WAF responds with injected JS challenge. Request is not passed to server
1
JS challenge placed in browser
2
- WAF verifies response authenticity
- Cookie is signed, time stamped and finger printed
4
Valid requests are passed to the
server
5
Browser responds to challenge &
resends request
3
Continuous invalid bot attempts are
blocked
Valid browser requests bypass challenge w/
future requests
Protocol Compliance Checks
• HTTP Protocol compliance, of course. – Mitigates attacks like SlowLoris, and other timing attacks.
• But also, TLS protocol and cipher enforcement – Centralized control of allowed ciphers and protocols – Protection from vulnerabilities like Heartbleed, FREAK
• TCP handshake enforcement – Full proxy WAF should be able to detect idle TCP sessions,
reducing load on web app servers
Behavioral Analysis & Fingerprinting
• Detect GET flood attacks against Heavy URI’s • Identify non-human surfing patterns • Fingerprinting to identify beyond IP address
– Track fingerprinted sessions – Assign risk scores to sessions – Identify known malicious browser extensions
• http://PanOpticlick.eff.org for a primer on the topic
What’s a Heavy URI?
• Any URI inducing greater server load upon request • Requests that take a long time to complete • Requests that yield large response sizes
© F5 Networks, Inc 28 CONFIDENTIAL
• Attackers are proficient at network reconnaissance – They obtain a list of site URIs – Sort by time-to-complete (CPU cost) – Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate – Though they are often known by the
security community – Can be executed with a simple wget
script, or OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks
Exploiting POST for Fun & DoS • Determine:
– URL’s accepting POST – Max size for POST
• Bypass CDN protections (POST isn’t cache-able) • Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application infrastructure
Network Reconnaissance Example
THANK YOU!
Contact me: @bamchenry [email protected]
Reference: http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/