Discussion of limitations of traditional WAF approaches in modern application development infrastructures, including those driven by a DevOps philosophy. Exploration of content injection and modification as more powerful and valuable security extensions. Modern WAF approaches to leverage these techniques to enable robust interrogation of the browser for bot detection, fingerprinting, and other assessment and mitigation postures.
1. The Death of Web App Firewall
Brian A. McHenry
bam@f5.com
@bamchenry
( as we know it )
2. Agenda
• Brief primer on traditional WAF approach
• Why this approach will (and should) die
• How WAF can stay relevant in your AppSec practice
• Why a new approach is valuable
3. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
4. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1rn
Host: foo.comrnrn
Connection: keep-alivernrn
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn
Referer: http://172.29.44.44/search.php?q=datarnrn
Accept-Encoding: gzip,deflate,sdchrnrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rnrn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rnrn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226rn
5. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
6. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
7. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
8. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
9. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
10. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
11. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
12. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
13. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
14. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
15. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
16. How does a WAF work?
Start by checking RFC
compliance1
Then check for various length
limits in the HTTP2
Then we can enforce valid
types for the application3
Then we can enforce a list of
valid URLs4
Then we can check for a list of
valid parameters5
Then for each parameter we
will check for max value length6
Then scan each parameter,
the URI, the headers with
attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: foo.comrn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9r
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
21. With Great Power…
• Each web application is a snowflake!
• Application deploys can be too frequent for
WAF policy tweaks to keep up.
• In DevOps environments, continuous
delivery enables rapid vuln fixes in code.
WAF Administrator
23. What’s left for WAF?
• Focus on non-snowflake problems
• Extend and enrich web applications where possible
• Behavioral analysis
24. • WAF injects a JS challenge with obfuscated
cookie
• Legitimate browsers resend the request with
cookie
• WAF checks and validates the cookie
• Requests with valid signed cookie are then
passed through to the server
• Invalidated requests are dropped or
terminated
• Cookie expiration and client IP address are
enforced – no replay attacks
• Prevented attacks will be reported and
logged w/o detected attack
1st time
request to web
server
WAF-based Bot Detection
Internet
Web
Application
Legitimate browser
verification
No challenge
response from
bots
BOTS ARE
DROPPED
WAF responds with
injected JS
challenge. Request
is not passed to
server
JS challenge
placed in browser
- WAF verifies
response
authenticity
- Cookie is signed,
time stamped
and finger printed
Valid requests are
passed to the
server
Browser
responds to
challenge &
resends request
Continuous invalid
bot attempts are
blocked
Valid browser requests
bypass challenge w/
future requests
25. Protocol Compliance Checks
• HTTP Protocol compliance, of course.
– Mitigates attacks like SlowLoris, and other timing attacks.
• But also, TLS protocol and cipher enforcement
– Centralized control of allowed ciphers and protocols
– Protection from vulnerabilities like Heartbleed, FREAK
• TCP handshake enforcement
– Full proxy WAF should be able to detect idle TCP sessions,
reducing load on web app servers
26. Behavioral Analysis & Fingerprinting
• Detect GET flood attacks against Heavy URI’s
• Identify non-human surfing patterns
• Fingerprinting to identify beyond IP address
– Track fingerprinted sessions
– Assign risk scores to sessions
– Identify known malicious browser extensions
• http://PanOpticlick.eff.org for a primer on the topic
27. What’s a Heavy URI?
• Any URI inducing greater server load upon request
• Requests that take a long time to complete
• Requests that yield large response sizes
29. Exploiting POST for Fun & DoS
• Determine:
– URL’s accepting POST
– Max size for POST
• Bypass CDN protections (POST
isn’t cache-able)
• Fingerprint both TCP & app at
the origin
Attackers work to identify weaknesses in
application infrastructure
Network Reconnaissance Example