In today’s cybersecurity landscape, web applications are a primary target for cybercriminals. With sophisticated attack techniques constantly evolving, organizations need to deploy robust security mechanisms to defend against threats. One of the most crucial components of web application security is the Web Application Firewall (WAF).
What is a Web Application Firewall (WAF)?
A Web Application Firewall (WAF) is a security tool designed to monitor and filter incoming HTTP traffic to a web application, protecting it from various types of attacks such as SQL injection, cross-site scripting (XSS), file inclusion, and more. Essentially, a WAF acts as a barrier between the internet and your web server, inspecting and filtering traffic before it reaches your application. By blocking malicious traffic, WAFs prevent attackers from exploiting vulnerabilities in your web application.
While WAFs are an essential layer of defense, it is important to understand their limitations. Attackers are increasingly finding ways to bypass these security measures. This post will explore common techniques used to bypass WAFs and, more importantly, how to secure your WAF configuration to avoid these vulnerabilities.
How Web Application Firewalls Protect Websites
WAFs use a variety of techniques to detect and block malicious web traffic, including:
- Signature-based detection: Identifying known attack patterns by comparing incoming traffic against predefined attack signatures.
- Behavioral analysis: Analyzing traffic patterns to detect anomalies that could indicate an attack.
- Rate limiting: Blocking requests that exceed predefined thresholds, mitigating brute force and denial-of-service (DoS) attacks.
- Protocol validation: Ensuring that requests conform to expected HTTP/HTTPS protocols and that they do not contain unusual or malicious elements.
By combining these strategies, WAFs protect against a wide range of web application attacks, including SQL injections, XSS, and command injection. These are essential strategies to help your web application stay secure; however with the game of cat and mouse, attackers continue to find ways to bypass this essential security measure.
Common WAF Bypass Techniques
Despite the benefits of WAFs, attackers continually refine their techniques to evade detection. Let’s look at some of the most common methods used to bypass WAFs by attackers.
Exploiting Zero-Day Vulnerabilities
A zero-day vulnerability is an undiscovered flaw in a software system that has not yet been patched or disclosed by the vendor. WAFs primarily rely on predefined signatures or patterns to detect attacks, which means they may not recognize new attack methods that exploit these vulnerabilities until an update is available.
Example: An attacker might exploit a zero-day vulnerability in a content management system (CMS) like Joomla, Drupal or WordPress. Since this vulnerability is unknown to the vendor, the WAF has no signature to block it. The attacker can exploit this flaw to gain unauthorized access to sensitive data or execute arbitrary commands on the server.
Payload Obfuscation and Encoding
Payload obfuscation is a popular technique used to disguise malicious payloads in a way that makes them harder for WAFs to detect. By encoding or altering the appearance of the payload, attackers can bypass detection based on pattern matching.
Common Encoding Methods:
- Hexadecimal Encoding: Converts characters into their hexadecimal equivalents.
- Base64 Encoding: Encodes the entire payload into a Base64 string.
- URL Encoding: Replaces characters with their percent-encoded equivalents
Example: Instead of submitting a simple SQL injection like:
SELECT * FROM users WHERE username = ‘admin’;
An attacker could submit a Base64-encoded payload:
U0VMRUNUICogRlJPTSB1c2VycyBXSEVSRSB1c2VybmFtZSA9ICdhZG1pbic7
If the WAF doesn’t decode the payload properly, it may miss the attack.
Parameter Pollution
In Parameter Pollution, an attacker sends multiple instances of the same parameter in a single HTTP request. Many WAFs only inspect the first occurrence of a parameter, so the additional instances may contain malicious payloads that go undetected.
Malicious JSON/XML Injection
Many modern web applications use JSON or XML formats for API communications and attackers can use JSON injection to inject malicious data or modify behavior. However, traditional WAFs may not adequately inspect the contents of these payloads, allowing attackers to inject malicious code through these data formats. An attacker might inject an XSS payload into a JSON API request. If the WAF does not inspect or sanitize the JSON payload correctly, the injected script will execute when the server processes the request.
Separate requests
Using separate requests as a way of fragmentation is a technique where the malicious payload is split into smaller fragments and sent as multiple requests.
Example: An attacker might fragment a malicious request like:
GET /login?username=admin&password=1234&cmd=DROP%20TABLE%20users;
Into two smaller requests:
GET /login?username=admin&
GET /login?password=1234&cmd=DROP%20TABLE%20users%3B
Each fragment is inspected by the WAF independently, which may fail to recognize the full attack when the server reassembles the fragments.
Case Manipulation to Evade Detection
Some WAFs perform case-sensitive matching when looking for malicious patterns. By manipulating the case of keywords in the payload, attackers can confuse these systems into failing to recognize the attack. OWASP.
DNS-Level Attack Bypass
Many WAFs rely on domain-based filtering to inspect traffic. However, attackers can bypass domain-based rules by sending requests directly to the server’s IP address, avoiding the WAF’s domain checks.
Circumventing Rate Limiting with Distributed Requests
Rate limiting is a common technique used by WAFs to prevent brute-force and DoS attacks. However, attackers can bypass this by distributing their requests across multiple sources (e.g., a botnet) or by slowing down the rate of requests. Instead of bombarding a login page with a large number of attempts from a single IP address, an attacker could distribute the login attempts across hundreds or thousands of compromised machines, or slow the requests down to avoid triggering the WAF’s rate-limiting rules.
How to Protect Against WAF Bypass Attacks
Despite these sophisticated bypass techniques, there are several best practices that can be employed to protect your WAF and ensure it remains an effective line of defense.
Keep WAF Rulesets and Software Updated
Signature-based WAFs rely on up-to-date rulesets to detect known attack patterns. Regular updates from your WAF provider ensure that the system can detect the latest threats and bypass techniques. Additionally, patching vulnerabilities in the WAF software itself helps prevent exploitation.
Conduct Regular Penetration Testing
Penetration testing is essential to uncover potential weaknesses in your security configuration. By simulating real-world attacks, you can identify and fix vulnerabilities before attackers exploit them. Pen testing should specifically test for WAF bypass techniques like encoding and parameter pollution, especially web applications that handle financial transactions and personal information.
Implement Input Validation and Secure Coding Practices
A WAF can only do so much; the foundation of security lies in the development of secure web applications. Ensure that input validation is performed on the server side to sanitize and validate all user inputs. This can prevent many types of attacks, such as SQL injection and XSS, from even reaching the WAF.
Deploy a Multi-Layered Defense Strategy:
While a WAF is an important security tool, it should not be relied upon as the sole defense. Use additional layers of protection such as Content Security Policy (CSP), SSL/TLS, and Intrusion Detection Systems (IDS).
Stateful WAFs:
Stateful WAFs track the state of interactions and inspect the entire flow of traffic, not just individual requests. This makes it harder for attackers to bypass security by splitting their attacks into multiple requests or using session-aware techniques.
Be Aware of Zero-Day Vulnerabilities:
A zero-day vulnerability is an unknown or unpatched flaw in software that can be exploited by attackers. Since many WAFs rely on known attack patterns, they might fail to detect an attack that uses a zero-day exploit. Stay up-to-date with security patches and consider using a WAF provider that employs heuristic or behavior-based detection techniques to detect novel attacks.
Monitor and Log Traffic for Anomalies:
Regular monitoring and analysis of traffic logs can help identify suspicious patterns that might indicate an attack is underway. By logging and analyzing traffic in real-time, you can catch attacks that might slip past the WAF.
CAPTCHAS:
These are used by certain WAF solutions out there and require human interaction, but can be difficult for bots.
While Web Application Firewalls (WAFs) are a crucial security measure for protecting your web applications, they are not foolproof. Understanding the common techniques attackers use to bypass WAFs and taking proactive steps to prevent these bypass methods is essential to maintaining robust security. By combining a well-configured WAF with secure coding practices, regular testing, and multi-layered defense strategies, you can ensure your web applications remain secure against evolving threats.
With the right configuration and vigilance, a WAF can continue to serve as a strong line of defense in your overall cybersecurity strategy. Utilize articles written by GoDaddy,
Sources: OWASP, Portswigger