Lecture
Web Application Firewall ( Eng. The Web application the firewall , WAF) - a set of monitors and filters designed to detect and block network attacks on a Web application. WAFs refer to the application layer of the OSI model [1] .
A web application can be protected by the developers of the application itself without using WAF. This requires additional development costs. For example, the content of the information security department. WAF has incorporated the ability to protect against all known information attacks, which allows it to delegate the protection function. This allows developers to focus on the implementation of the business logic of the application, without thinking about security
The web application firewall is used as an overlay protection. This means that it sits in front of the main web application and analyzes inbound and outbound traffic. In real time, he makes a decision to grant or deny access [1] .
Any security model can be supported in WAF: positive, negative, or combinations thereof. Modern WAFs are subject to the requirements described in PCI DSS . They also inspect HTTP / HTTPS requests and responses of the data transfer protocol in accordance with the security policy [3] . In addition, the open source project OWASP collects data on compromises from around the world and forms a rating of attack vectors for web applications - OWASP Top Ten [4] . WAFs are designed to successfully respond to the threats described in this rating [3] .
It should be noted that WAF is not an absolute information protection tool. Usually they are included in the overall security system of a web application in combination with other elements, for example, with elements that solve the problems of protocols other than HTTP / HTTPS, incident control systems, and anti-fraud services [5] .
Application firewalls, which control input, output, and access from applications or services, were first developed in the early 1990s as an extension of the firewall by Gene Spafford, Bill Cheswick, and Marcus Ranum. [2] Their product was primarily a firewall, but could handle multiple applications (such as FTP or RSH) and was released to the DEC market. Over the next few years, the products were refined by other researchers to provide stable firewall software for others, and raised the bar for the industry.
Dedicated web application firewalls hit the market at the end of the decade, when hacker attacks on web servers became more prominent.
The first company to invent and propose a dedicated web application firewall was Perfecto Technologies with its AppShield [3] product, targeting the e-commerce market and protecting against illegal web page characters. The company was founded by Eran Reshef and Gili Ra'anan, who are also the inventors of the first dedicated WAF. Perfecto renamed itself Sanctum and named [4] Top 10 Web Application Hacking Techniques and laid the foundation for the WAF market:
Hidden field manipulation
Poisoning cookies
Changing parameters [5]
Buffer overflow
Cross Site Scripting (XSS)
Backdoor or debug options
Stealth commands
Forced View [6]
Incorrect third party configuration [7]
Known vulnerabilities
In 2002, the open source project ModSecurity [8] was formed to make WAF technology more accessible and remove industry barriers such as business cases, price barriers, and proprietary rulesets. ModSecurity has finalized the core set of rules for securing web applications based on the OASIS Web Application Security Technical Committee (WAS TC) work on the vulnerability. In 2003, their work was expanded and standardized with the Open Web Application Security Project (OWASP) Top 10 List, an annual ranking of web security vulnerabilities. This list will become the industry benchmark for many compliance topics. [9] [10]
Since then, the market has continued to grow and evolve, involving the larger commercial industry with the rise of credit card fraud. With the development of the Payment Card Industry Data Security Standard (PCI DSS), a standard for organizations to strengthen control over cardholder data, security has become more regulated and has generated widespread industry interest. According to CISO Magazine, the WAF market is expected to grow to $ 5.48 billion by 2022 [11].
SQL injections have remained the main vector of successful attacks for a long time [6] . To work with various data - deleting, changing, adding, the application uses the database. When accessing the database, the application composes a request text that can be spoofed by an attacker [7] . As a result, for example, data leakage, deletion or writing can occur. For protection, the data received from the user is carefully checked, black or white lists of character sequences are used, the request text is escaped [8] .
To distinguish between users when authorizing a user on the site, a session cookie is set or an authorization token is issued, which the browser saves and sends to the server each time to confirm that this is the right user. This key can be obtained by an attacker and used to access the account [9] . For protection, together with the key, related information is checked, such as IP address, browser. The session key is also assigned a relatively short lifetime [10] .
This type of attack consists in the fact that an attacker sends Java-Script or Html code to the user's browser, where this code is executed [7] . Thus, an attacker can receive cookies or data entered on the form of an infected page. Input and output data are shielded for protection. Regular expressions are used for field validation [11] .
This type of attack is designed to steal confidential data. Most often this happens at the time of their transfer from the client to the server via the insecure HTTP or FTP protocol. On the way to the server, on some node, having gained access to it, an attacker can read an open, unprotected request with confidential user information [12] . To transfer such information, secure transmission protocols HTTPS, TLS are used. In addition, if there is a need to store such data, then they are stored in encrypted form [12] .
Access control vulnerabilities are associated with insufficient thoroughness of checking access rights to certain data. With some rights, an attacker can gain access to data that are closed for these rights [13] .
For example, if the attacker has id equal to 1 and can see the list of his messages by reference
mysite.com/messages?id=1
then in case of insufficient rights checking, replacing the id value with 2
mysite.com/messages?id=2
the server will issue messages to the user with id = 2. Whitelists are used as security to verify access. Although some WAFs undertake similar verification functions, most of these actions are performed on the server [14] .
In the 2017 OWASP report, an attack vector such as XML External Entities (XXE) was among the top possible risks for web applications [15] . Such attacks are possible when an application allows a user to use XML documents to transfer data, the content of which is parsed by a poorly configured parser. As a result, an attacker can pass a link to an external entity in XML, which can lead to data loss or other unwanted impact on the server [16] [17] . For protection, a carefully tuned XML serializer is used, or it is replaced with another one, such as JSON. Or, support for external XML entities is disabled [18] .
It should be noted that some of the standard attacks can be countered, including the corresponding headers and flags built into all modern browsers. For example, the X-XSS-Protection header or the HTTPonly flag for the Set-Cookie header [19] [20] .
WAFs actively use signature analysis to filter traffic. The signature method in its implementation uses a dictionary of malicious traffic for comparison [21] . If a part of the request (signature) was found in the incoming traffic, which corresponds to malicious traffic, then WAFs block this request. An example of signatures [22] .
The method is based on white and black lists of IP addresses and domains. By referring to these lists, WAFs evaluate incoming requests [2] .
Some popular block lists:
Behavioral analysis is built on machine learning. This allows anomalies in behavior to be detected at deeper levels of understanding. Such a mechanism can be trained with or without a teacher on access identifiers. Incoming parameters can be access identifiers such as HTTP parameters, resource identifier (URL, URN), session identifier [1] . Thus, a reference mathematical model of valid access identifiers is highlighted. If this model does not match, the next request will be blocked [5] . This allows you to repel both known attacks and zero-day attacks [2] .
Additional features
In addition to protecting information, WAFs can provide functions on its availability, fighting DoS attacks. When an attack is detected, users who participate in the traffic load are limited or blocked. Also, WAF can inject captcha in response to the server, thereby cutting off automatic requests and allowing real users [5] .
WAF bundled may have their own vulnerability scanner. The scanner draws the attention of application developers to shortcomings that can be subsequently corrected, or the responsibility for them can be delegated to the WAF. During this analysis, the scanner can generate queries with specific parameter values that will allow exploiting the vulnerability found. Knowing the weaknesses, WAF web applications generate virtual patches that close such places [23] .
WAF provides several types of supplies.
In any of these cases, WAFs can be deployed in one of the following options: transparent bridging , transparent or reverse proxy server [24] .
Market
With the increase in the number of web applications on the Internet, the need for their qualified protection is growing [25] . This is a factor in the development of companies in this direction. Many companies are involved in the development of the industry. Conduct open analytics on market, technology and threats. Since during the development of web protection the principles and standards of security have been developed, WAF products from various companies are similar in functionality and differ only in the graphical shell [3] .
Open source WAF:
Comments
To leave a comment
Malicious, and information security
Terms: Malicious, and information security