Death of Web App Firewall

1. The Death of Web App Firewall Brian A. McHenry bam@f5.com @bamchenry ( as we know it )

2. Agenda •  Brief primer on traditional WAF approach •  Why this approach will (and should) die •  How WAF can stay relevant in your AppSec practice •  Why a new approach is valuable

3. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226

4. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1rn Host: foo.comrnrn Connection: keep-alivernrn User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarnrn Accept-Encoding: gzip,deflate,sdchrnrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rnrn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rnrn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226rn

9. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226

10. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226

12. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /login.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226

13. How does a WAF work? Start by checking RFC compliance1 Then check for various length limits in the HTTP2 Then we can enforce valid types for the application3 Then we can enforce a list of valid URLs4 Then we can check for a list of valid parameters5 Then for each parameter we will check for max value length6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /logout.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226

17. That sounds really good, but…

18. Who Owns the WAF? Network Team App Dev TeamSecurity Team

19. NOT IT!

20. My kingdom for a WAF admin! WAF Administrator

21. With Great Power… •  Each web application is a snowflake! •  Application deploys can be too frequent for WAF policy tweaks to keep up. •  In DevOps environments, continuous delivery enables rapid vuln fixes in code. WAF Administrator

22. What’s left for WAF?

23. What’s left for WAF? •  Focus on non-snowflake problems •  Extend and enrich web applications where possible •  Behavioral analysis

24. •  WAF injects a JS challenge with obfuscated cookie •  Legitimate browsers resend the request with cookie •  WAF checks and validates the cookie •  Requests with valid signed cookie are then passed through to the server •  Invalidated requests are dropped or terminated •  Cookie expiration and client IP address are enforced – no replay attacks •  Prevented attacks will be reported and logged w/o detected attack 1st time request to web server WAF-based Bot Detection Internet Web Application Legitimate browser verification No challenge response from bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server JS challenge placed in browser -  WAF verifies response authenticity -  Cookie is signed, time stamped and finger printed Valid requests are passed to the server Browser responds to challenge & resends request Continuous invalid bot attempts are blocked Valid browser requests bypass challenge w/ future requests

25. Protocol Compliance Checks •  HTTP Protocol compliance, of course. – Mitigates attacks like SlowLoris, and other timing attacks. •  But also, TLS protocol and cipher enforcement – Centralized control of allowed ciphers and protocols – Protection from vulnerabilities like Heartbleed, FREAK •  TCP handshake enforcement – Full proxy WAF should be able to detect idle TCP sessions, reducing load on web app servers

26. Behavioral Analysis & Fingerprinting •  Detect GET flood attacks against Heavy URI’s •  Identify non-human surfing patterns •  Fingerprinting to identify beyond IP address – Track fingerprinted sessions – Assign risk scores to sessions – Identify known malicious browser extensions •  http://PanOpticlick.eff.org for a primer on the topic

27. What’s a Heavy URI? •  Any URI inducing greater server load upon request •  Requests that take a long time to complete •  Requests that yield large response sizes

28. © F5 Networks, Inc 28CONFIDENTIAL •  Attackers are proficient at network reconnaissance –  They obtain a list of site URIs –  Sort by time-to-complete (CPU cost) –  Sort list by megabytes (Bandwidth) •  Spiders (bots) available to automate –  Though they are often known by the security community –  Can be executed with a simple wget script, or OWASP HTTP Post tool Tools and Methods of L7 DoS Attacks

29. Exploiting POST for Fun & DoS • Determine: – URL’s accepting POST – Max size for POST • Bypass CDN protections (POST isn’t cache-able) • Fingerprint both TCP & app at the origin Attackers work to identify weaknesses in application infrastructure Network Reconnaissance Example

30. THANK YOU! Contact me: @bamchenry bam@f5.com Reference: http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/

Death of Web App Firewall

More Related Content

What's hot (19)

Similar to Death of Web App Firewall (20)

Recently uploaded (20)

Death of Web App Firewall