12.2. WAF

12.2.1. Introduction

12.2.1.1. Concepts

WAF (Web Application Firewall, Web Application Firewall) is a product that provides reinforcement for Web applications by implementing a series of HTTP/HTTPS security policies.

In the market, there are WAFs with various features and options at various prices. To a certain extent, WAF can provide security for web applications, but it cannot guarantee complete security.

12.2.1.2. Common functions

• Detect abnormal protocols and reject requests that do not conform to HTTP standards

• Session protection for state management

• Cookies Protection

• Information leakage protection

• DDoS Protection

• Block certain IP access

• Suspicious IP Check

• Secure HTTP header management

  • X-XSS-Protection

  • X-Frame-Options

• Mechanism detection

  • CSRF token

  • HSTS

12.2.1.3. Layout location

According to the location, WAF can be divided into cloud WAF, host protection software and hardware protection. Cloud WAF is deployed on the cloud, and requests first pass through the cloud server and then flow to the host. Host protection software requires the host to pre-install corresponding software, such as mod_security, ngx-lua-waf, etc., to protect the host. Hardware protection means that when traffic flows to the host, it is first cleaned and intercepted by the device.

12.2.2. Protection methods

Common methods of WAF include keyword detection, regular expression detection, syntax analysis, behavior analysis, reputation analysis, machine learning, etc.

Regex-based protection is the most common form of protection. The developer uses some set regular rules to detect whether the payload is offensive. Regex-based protection is simpler and therefore has some drawbacks. For example, it can only be applied to a single request, and it is difficult to apply regularity to some complex protocols.

Syntax-based parsing is faster and more accurate than canonical parsing, which parses the payload into groups of symbols according to the grammar, and then looks for dangerous keywords in the groups of symbols. This method has a better effect on some payload variants, but also requires a higher parser.

Behavior-based analysis looks at a wider range, such as the attacker’s port scanning behavior, directory blasting, parametric testing, or some other automated or attack patterns are taken into account.

Reputation-based analysis can better filter out some suspicious sources, such as commonly used VPNs, anonymous proxies, Tor nodes, IPs of botnet nodes, etc.

The WAF based on machine learning involves a very wide range, and the effects are also more diverse due to specific implementations and scenarios.

In addition to classifying according to specific methods, it can also be classified according to the use of whitelists and blacklists. Whitelist-based WAFs are suitable for stable web applications, while blacklist-based WAFs are suitable for handling known issues.

12.2.3. Scanner Defense

• Recognition based on User-Agent

• Identification based on attack payload

• verification code

12.2.4. WAF Fingerprint

• additional cookies

• extra header

• What to return when the request is rejected

• The response code returned when the request is rejected

• IP

12.2.5. Bypass

12.2.5.1. Architecture-Based Bypass

• The site is behind the WAF, but the site can be directly connected

• The site is in the cloud server, and there is no WAF for the server on the same network segment

12.2.5.2. Resource-Based Bypass

• Use heavy loads to exhaust the computing resources of WAF

• Provides a large number of invalid parameters

12.2.5.3. Parse-Based Bypass

• Character set parsing is different

• Incomplete protocol coverage

  • POST JSON parameters / form-data / multipart/form-data

• Incorrect protocol parsing

• Site and WAF have some inconsistencies with https

• WAF parsing is inconsistent with web service parsing

  • Some ASP+IIS will convert the %u0065 format characters

  • Apache will parse the malformed Method

  • The same parameter appears multiple times, and the location is different

  • HTTP Parameter Pollution (HPP)

  • HTTP Parameter Fragmentation (HPF)

12.2.5.4. Rule-Based Bypass

• equivalent replacement

  • case conversion

    • select => sEleCt

    • <sCrIpt>alert(1)</script>

  • Character Encoding

    • URL encoding

    • Hex encoding

    • Unicode parsing

    • Base64

    • HTML

    • JSFuck

    • Other encoding formats

  • Equivalent function

  • Equivalent variable

  • keyword split

  • String manipulation

• character interference

  • null character

    • NULL (x00)

    • space

    • Enter (x0d)

    • newline (x0a)

    • Vertical Tab (x0b)

    • Horizontal Tab (x09)

    • Form feed (x0c)

  • comment

• special symbols

  • Annotation

  • Quotes (backticks, single quotes, double quotes)

• Use the features of the service itself

  • Replace suspicious keywords with empty

    • selselectect => select

• Uncommon features are not in the list of rules

12.2.6. Reference Links

• Four levels of WAF attack and defense research Bypass WAF

• My WafBypass Way SQL Injection

• WAF through the eyes of hackers