The WAF book intro protection elements v1.0 lior rotkovitch

Practical Defensive Security
for Security Engineers
Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B.
▪ Email: lior.rotkovitch@gmail.com
▪ Twitter: @Rotkovitch @sirt_club
▪ LinkedIn: Lior Rotkovitch
▪ Instagram: l.rotkovitch
Web App Firewall
https://SIRT.club
By: Lior Rotkovitch
70295
©

NF
Database
Application
Servers
Web
Servers
WEB
ISP
bugs
CLOUD’S
Web Application Security
Software bugs security design
▪ Design bugs– insecure
implementations
▪ Misconfiguration bugs–
wrong, defaults
Expected traffic
footprint
▪ Code
▪ 3rd party libraries
▪ Lack of enforcement on
traffic usage
70295
©

Attack Elements
HTTP
Web Application
Database
App
Servers
Web
Servers
“Attack occurs when: attack agent is sending exploit to
execute the vulnerability that resides in the attack surface
Part of:
70295
©

Web Application
Application/s
Request
handler/s Database/s
Expected Traffic Footprint
Attack Traffic Footprint
No Services
for you
Welcome
“The need: a tool that will help us differentiate between
Expected Traffic Footprint and Attack Traffic Footprint
Suspicious
Traffic
FoF ?
The solution: WAF
70295
©

WAF–the traffic manager
❑ Allow
❑ Monitor
❑ Block
70295
©

2. CONTROL PLAIN – SETTINGS
3. REPORTING - VISUALIZATION
WAF STRUCTURE
Web Application
Web Clients
1. DATA PLANE
REQUEST
RESPONSE
1. Data Plane - WAF Engines
2. Control Plain – Settings
3. Reporting - Visualization
70295
©

2. CONTROL PLAIN – SETTINGS
3. REPORTING - VISUALIZATION
WAF STRUCTURE
Web Application
Web Clients
1. DATA PLANE
PARSER
ENGINE
TRAPS
ENGINE
ENFORCER
ENGINE
REQUEST ARRIVE
WAF SECURITY
ENGINEER
Inline device
70295
©

Request phases in WAF
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
URL /index.php
User-Agent: Mozilla/5.00 (Nikto/2.1.6)
(Evasions:None) (Test:007240)
Source IP 192.168.1.1
Time 01:32:44
Detection: Signatures -User Agent
Python-urllib/2.6
Mozilla/5.00 (Nikto/2.1.6) (Evasions:None)
(Test:007240)
Mozilla/4.0 (Hydra)
Prevention action
Alert
Block page
Reset conn
GET / HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240)
Parser Traps Enforcer
Web Clients
70295
©

PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE
Entity Detections Prevention Policy
PROTECTION ELEMENTS (PE)
WEB CLIENTS
70295
©

Protocol req/res
Payload
User input
PARSER ENGINE
Entity types
Parser engine
Parser: software that process HTTP traffic and breaks it into
small chunks called entities for additional actions.
70295
©

https://sirt.club/home/search.php?q=waf&cat=all
Protocol: https
Host: sirt.club
Path: /home/
Object: search.php
Query Sting:
Parameter name: q
Parameter value: cve
2nd Parameter name: cat
2nd Parameter value: all
REQUEST
Part of:
Parser
Request Parsing
70295
©

https://sirt.club/home/search.php?q=waf&cat=all
Protocol: https
Host: sirt.club
Path: /home/
Object: search.php
Query Sting:
Parameter name: q
Parameter value: cve
2nd Parameter name: cat
2nd Parameter value: all
Entities: - URL
Protocol: https
Host: sirt.club
Path /home/
Object search.php
Query Sting ?
Parameter name q
Parameter value waf
2nd Parameter name cat
2nd Parameter value all
REQUEST
Parser:
Part of:
70295
©

http://sirt.club/home/search.php?q=lala
Entities
VERB GET
URL /search.php
HTTP version HTTP/1.1
Parameter name q
Parameter value lala
Host: sirt.club
Connection: keep-alive
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/92.0.4515.107 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.
8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: SESSION=a6f77f584b48467c32d18a20aa0aa13ed
GET /search.php?q=lala HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/
Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed
Part of:
Protocol
Payload
(headers)
User input
GET Request Parsing
70295
©

POST login.php HTTP/1.1
Host: www.sirt.club
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/92.0.4515.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Cookie: SESSION=2a59508d7509c6d2c21bbf5b
uname=meme&pass=god123
POST REQUEST
Post Data, Headers – Entities:
WEB CLIENTS
WEB APP
Entities
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: login.php
Content-Length: 32
Content-Type application/x-www-form-urlencoded
Param 1 uname
Param 1 value meme
Param 2 pass
Param 2 value god123
POST Request Parsing
70295
©

POST /search.php?id=12&query=Golden%20god HTTP/1.1
Host: 172.29.46.23
Upgrade-Insecure-Requests: 1
Chrome/92.0.4515.107 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,appl
ication/signed-exchange;v=b3;q=0.9
username=omg&password=123456&action=Send
Parser Buffers
70295
©

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Connection: Keep-Alive
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8326
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible"
content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
<p> Text </p>
</body>
</html>
Entities
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
<p>SIRT protectors of the realm</p>
</Body>
</HTML>
HTTP Response Parser
WEB CLIENTS
WEB APP
RESPONSE
Payload
(headers)
Protocol
Server
output
Part of:
70295
70295
©

TRAPS -> DETECTIONS:
Signatures - Pattern matching
Anomaly - Aggregation and thresholds
Client Interrogation - HTTP client inspection
Restrictions - Allow / Block lists
Protocol
Payload
User input
@
PARSER - ENTITY
70295
©

1.SIGNATURES
3.RESTRICTIONS
2.ANOMALY
4.CLIENT INTERROGATION
WEB CLIENTS
ENTITIES DETECTIONS PREVENTION ACTION
WEB APP
Traps
Protocol
Payload
User input
Parser Enforcer
70295
©

Definition: Parten matching enginee
Matching known words / key words on entities
• Pros
• Powerful pattern matching engine (IPS)
• Block know exploits
• Virtual patching & Leak prevention
• Security visibility
• Cons
• False positives
• Management time
• Consuming resources
Signatures Attacks: Web Exploit, Bot UA, SQLi, XSS,
LFI,RFI, Command Execution, Predictable
Resource etc
GET /search.php?q=EXPLOIT HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00
Signature example
▪ Informational signature – User agent, defaults, general words
▪ Generic exploits signature – common web exploits
▪ Specific exploit signature – CVE/ real known exploits
70295
©

Verb (Method) GET
Protocol HTTP 1.1
URL /query.php
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Source IP 192.168.1.1
WAF User Agent signature
Python-urllib/2.6
Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Mozilla/4.0 (Hydra)
Signature: Informational
GET / query.php HTTP/1.1
Host: sirt.club
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
SIGNATURES
ENTITIES DETECTIONS
WEB APP
70295
©

Parser
Entities Value
Verb (Method) GET
Protocol HTTP 1.1
Parameter name q
Parameter value ../../../../../../etc/passwd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/95.0.4638.54
Source IP 192.168.1.1
GET /search.php?q=../../../../../../etc/passwd HTTP/1.1
Host: sirt.club
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54
WAF Signature
../../../../../../etc/passwd
<script>alert('XSS')</script>
[]=PATH DISCLOSURE
…………..
Signature - generic exploits
SIGNATURES
ENTITIES DETECTIONS
WEB APP
70295
©

POST /submit.php HTTP/1.1
Host: sirt.club
Accept: text/html,application/,*/*;
Content-Length: 142
Cookie: SESSION=aafa5676ce60d1b33b58c0dd6de6fa87;
{“my_book”: 1.1, “tlv_book”: [<scripts>alert('lala')<script>]}
Signature – POST Data
<scripts>alert('lala')<script>
<scripts>
alert('')
<script>
Parser (entities)
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: submit.php
Accept: text/html, image/webp, */*
POST Data
{“my_book”: 1.1, “tlv_book”:
[<scripts>alert('lala')<script>]}
SIGNATURES
Signature - generic exploits
WEB APP
70295
©

Signature – Exploit
Application Firewall
Verb (Method) GET
Protocol HTTP 1.1
URL GUI.php..;/etc/passwd
Source IP 192.168.1.1
Time 01:32:44
CVE signatures
..;/etc/passwd
/............winntwin.ini
..../..../boot.ini
Prevention action
Alert
Block page
Reset conn
GET /GUI.php..;/etc/passwd HTTP/1.1
Host: sirt.club
Web App
Application
Server/s
Web
Server/s
Database
Server/s
70295
©

POST /index.html?id=12&query=green%20age HTTP/1.1
Host: 172.29.46.23
Upgrade-Insecure-Requests: 1
Chrome/92.0.4515.107 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,appl
ication/signed-exchange;v=b3;q=0.9
{“book”: 1.1, “tlv_book”: [100$US]}
Parsing Buffers
70295
©

Signature and entity level
GET /search.php?q=EXPLOIT HTTP/1.1
Host: sirt.club
Parser – Request
Entities Value
Request GET /search.php?q=EXPLOIT HTTP/1.1
Host: sirt.club
*
*q
Parser - Global parameter
Parameter Name Value
q EXPLOIT
*
q
search.php
Parser - URL parameter
Parameter Name URL Value
q search.php EXPLOIT
Signature
EXPLOIT
70295
©

Signature - Response phases in WAF
ENFORCER TRAPS PARSER
Signature - Request
70295
©

HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
<p> Text </p>
</body>
</html>
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
<p>Page Test </p>
</Body>
</HTML>
Signature - HTTP Response headers
WEB CLIENTS
RESPONSE
Headers
Response
body
Signature – Response Headers
Apache/2.1 (Unix) PHP/7.1.2
WEB APP
70295
©

HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Keep-Alive: timeout=15, max=99
Content-Type: text/html
<br>
<b>Warning</b>: Supplied argument is not a valid MySQL
result resource in <b> /var/htdocs/myapp/ </b> on line
<b>9</b><br>
<br>
<b>Warning</b>: Cannot add header information - headers
already sent by (output started at
/var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/
</b> on line <b>18</b><br>
……
…..
Parser - Response
Response Status
Code
HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Response body
<br>
<b>Warning</b>: Supplied argument is not a valid
MySQL result resource in <b> /var/htdocs/myapp/
</b> on line <b>9</b><br>
<br>
<b>Warning</b>: Cannot add header information -
headers already sent by (output started at
/var/htdocs/myapp/login.php:9) in <b>
/var/htdocs/myapp/ </b> on line <b>18</b><br>
RAW HTML Response
Signature – Response Body
“Supplied argument is not a valid MySQL result
resource in”
Signature - HTTP Response Body
70295
©

1.SIGNATURES
3.RESTRICTIONS
2.ANOMALY
4.CLIENT INTERROGATION
Protocol
Payload
User input
Traps
Parser Enforcer
WEB CLIENTS
WEB APP
70295
©

Anomaly
• Pros:
• Easy to use
• Effective automation detection
• Very effective in noisy attacks e.g. DdoS, BF,
• Cons:
• Needs fine tune for each site
• Advance usage needs knowledge and
experience
Anomaly example
▪ Request per second (RPS)
▪ Failed log in (FLI)
▪ Session opening
Definition: Data aggregation engine
Measure exceeding defined threshold
Attacks: Brute force , credential stuffing
, application DDoS , etc
70295
©

Internet
IP (Parser ) 5 min 20 min 1 hour AVG
10.0.0.138 50 60 180
192.168.1.1 180 0 0
172.29.44.6 400 350 3000
172.29.46.9 250 100 1000
10.1.1.1 1800 1200 800
192.168.24.24 0 100 150
Aggregated data – Policy limit per IP
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280
ANOMALY
Anomaly – increase in RPS form IP’s
Detection: Anomaly
70295
©

IP (Parser )
Current
FLI /5min
60min
FLI
10.0.0.138 60 180
192.168.1.1 0 0
172.29.44.6 35 40
172.29.46.9 100 1000
10.1.1.1 1800 3000
192.168.24.24 10 150
Aggregated data – Policy limit: FLI per IP
Source IP: ANY @ 5 Min FLI/IP over 5 min limit :
Min 300
Max 1000
Internet
Detection: Anomaly
Anomaly – increase in FLI form IP’s
Fail Login
Try Again
ANOMALY
70295
©

IP (Parser )
Sig count
5 min
Sig count
20min
Sig count
1H
10.0.0.138 500 600 1800
192.168.1.1 20 50 100
172.29.44.6 0 1 0
172.29.46.9 0 0 4
10.1.1.1 4 4 4
192.168.24.24 1 1 1
Aggregated data – Policy limit: Signatures per IP
Source IP: ANY @ 5 Min Max signature from IP / 5min
Min 20
Max 80
Post max 150 -> shun for 12 hours
ANOMALY
Anomaly – increase Sig from IP
Internet
Detection: Anomaly
70295
©

Anomaly – increase in Session ’s from IP’s
Internet
Session RPS
5 min
20 min 1 hour AVG
Session 1234567 50 60 180
Session 842153 180 0 0
Session 764531 300 350 3000
Session 1514345 250 100 1000
Session 5694615 1800 1800 1800
Session 1428648 0 100 150
Session : ANY @ 5 Min RPS limit
Min 220
Max 280
70295
©

Anomaly – increase in FLI from Geo
Internet
IP IP to GEO Current
RPS
10m RPS
10.0.0.138 Country U 60 180
192.168.1.1 Country X 0 0
172.29.44.6 Country Y 350 3000
172.29.46.9 Country W 100 1000
10.1.1.1 Country V 1800 1800
192.168.24.24 Country Z 100 150
Source IP: country @ 5 Min RPS limit
Min 300
Max 1000
IP’s
70295
©

Anomaly – increase in Sig to URL’s
Internet
URL RPS 5 min 20min 1 hour
AVG
Sell.php 500 600 1800
Help.php 120 100 100
Login.php 3000 6500 8000
Contact.us.php 1500 1000 800
1800 1800 1800
Promo.page.php 10 100 150
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280

sell.php
login.php
Contact.php
70295
©

Anomaly – increase in Session ’s from IP’s
Internet
Session RPS
5 min
20 min 1 hour AVG
IP 10.0.0.1 – total sessions 4 total RPS 780
Session 1234567 50 60 180
Session 9821363 180 0 0
Session 2972342 300 350 3000
Session 4798435 250 100 1000
IP 192.168.1.14 – total sessions 2 total RPS 1800
Session 2837464 1800 1800 1800
Session 2962349 0 100 150
Session : ANY @ 5 Min Session limit
per 5 minutes
Min 220
Max 280
Fixed Any ip sessions
above 100 in
every 1 minute
70295
©

Anomaly – increase in NEW Session ’s from IP’s
Internet
IP New Session
5 min
New Session
20 min
New Session
1 hour
10.0.0.138 2 10 50
192.168.1.1 180 0 0
172.29.44.6 300 350 3000
172.29.46.9 250 100 1000
10.1.1.1 2 3 3
192.168.24.24 0 0 2
Session : ANY @ 5 Min Session limit
per 5 minutes
Min 220
Max 280
Fixed Any IP sessions
above 100 in
every 1 minute
70295
©

Anomaly – increase Sig from IP
Internet
IP Sig count
5 min
Sig count
20min
Sig count
1H
10.0.0.138 500 600 1800
192.168.1.1 20 50 100
172.29.44.6 0 1 0
172.29.46.9 0 0 4
10.1.1.1 4 4 4
192.168.24.24 1 1 1
Block IP’s that send too many signatures (scanner , vul
hunters etc)
Source IP: ANY @ 5 Min Block IP on:
Min 20
Max 80
Post max 150 -> shun for 12 hours
WAF policy settings
70295
©

0
2
4
6
8
10
12
14
16
18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
IP’s/URL’s
Series 1
Anomaly - Fixed Vs Ratio
0
5
10
15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
IP/URL
App 1
70295
©

• Pros:
• A powerful and granular allow / deny
alerting and enforcement list
• Provides a schema for ETF
• Provide a schema for user input validation
• Holistic security
• Cons:
• Needs fine tune – false positive
• Needs management
• Hit count then block is the best
Restrictions
Matching Allow / Block lists
Restriction examples:
▪ Characters sets
▪ RFC & evasion
▪ Flow
▪ Structure
Definition: Restrictions engine Attacks: SQLi, XSS, directory traversal,
evasions etc
70295
©

Restrictions – length
Length Min Chars Max chars
GET Param value Min 3 chars Max 130 chars
Parser
(entities)
Value Length - found
Verb (Method) GET
Protocol HTTP 1.1
Parameter name q
Parameter value longlonglonglonglonglonglonglonglonglonglong
longlonglonglonglonglonglonglonglonglonglong
longlonglonglonglonglonglonglonglonglonglong
long
136 chars
Source IP 192.168.1.1
Time 01:32:44
http://sirt.club/search.php?q=longlonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglong
Host: sirt.club
Accept: text/html,application/,*/*;
Length policy
RESTRICTIONS
70295
©

Restrictions – HTTP RFC
RFC @ any request Policy – allow/ Deny
Header with no value Block
Double host header Block
HTTP verbs: POST Get HEAD Block
Null in request Block
Parameter value with ' Block
Protocol versions 1.1 Allow
Protocol versions 1.0 Block
Verb (Method) Head
Protocol HTTP 1.0
Parameter name q
Parameter value mc’mer
Host header 172.29.46.23
SIRT.CLUB
Time 11:11:11
Header123 _____
Accept text/html,application/,*/* %00;
RESTRICTIONS
Options /search.php?q=mc’merHTTP/1.0
Host: SIRT.CLUB
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114
Safari/537.36
Accept: text/html,application/,*/* %00;
Host: 172.29.44.44
Header123:
70295
©

Restrictions – Meta characters
Metachar for
Any parameter
value
Encoding Policy – allow/
Deny
# allow
$
%
&
' %92 Block
(
)
Verb (Method) GET
Protocol HTTP 1.1
Session d58ec55996a207ed
Parameter name q
Parameter value Mc’dogal
Source IP 192.168.1.1
Time 01:32:44
http://sirt.club/search.php?q=Mc’dogal
RESTRICTIONS
70295
©

Restrictions – HTTP Verbs
VERB Policy
GET Allow
POST Allow
HEAD Allow
TRACK Block
TRACE Block
OPTIONS Block
PUT Block
Verb (Method) Options
Protocol HTTP 1.1
GET /about.php HTTP/1.0
Host: sirt.club
Verb (Method) GET
Protocol HTTP 1.1
Verb (Method) GET
Protocol HTTP 1.1
Options /help.php HTTP/1.0
Host: sirt.club
HEAD /login.php HTTP/1.0
Host: sirt.club
RESTRICTIONS
70295
©

• Multiple host headers found in request
Restrictions – RFC
POST http://192.0.0.192/latest/ HTTP/1.1
Chrome/74.0.3729.169 Safari/537.36
Host: sirt.club
accept: */*
host: sirt.club
Payload size
GET http://192.0.0.192/latest/May/yeaer HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: sirt.club
accept: */*
host: sirt.club
RESTRICTIONS
70295
©

LOGIN
PAYMENT
Enforce a flow:
o From: login.php
o To: payment.php
o Refer: index.php (always)
LOGIN USER DETAILS
Enforce a flow :
o From: login.php to user_details.php
o Method POST
o Additional condition: must have a session
RESTRICTIONS
70295
©

Search Engine name Fqdn Count /1 day
Google search .googlebot.com 150
Bing Search .msn.com 160
Ask .ask.com 10
GET /coffee HTTP/1.1
Host: sirt.club
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Connection: close DNS Server
rDNS- is the IP in the result
match the IP arriving
Source IP – x.y.z.z
Source IP – Y.Y.Y.Y
70295
©

Client Interrogation
When to use: when source generates many RPS
and we want to know if this :
1. Simple bot
2. Full browser bot
3. Full human bot
Definition: HTTP client inspection
Understating the HTTP client
• Pros
• Helping with idienfying bots/ automation
• None valuable users
• Works beyond IP level
• Cons:
• Add roundt trip, dealy the load time
• Can be tricked
Types
I. CAPTHCA
II. Client capabilities L1-4
III. Source ID SID
70295
©

User Browser
WAF - CI
App
First request GET /sell.php
GET /sell.php (not verified)
Client – interrogation
Return interrogation results
Forward request
HTTP Response (verified)
interrogation Tests:
• CLI ?
• Support JS?
• Support cookie ?
• Mouse movements
• UA fit resolution ?
• Framework ?
GET /img.png (verified )
GET /img.png (verified)
HTTP Response (verified)
HTML rendering
interrogation results :
If failed – drop / block request
if pass – forward
Client interrogation I : CAPTCHA
Prove that you are human answer this
Part of:
70295
©

IP:Y
IP:X
Who are you ?
IP:A
Client interrogation
Client interrogation II: Capabilities –L1
Only browsers are allowed here
CI results Allowed
Browser Yes
CLI No
JS capable Yes
Cookie set Yes
Part of:
70295
©

Source interrogation II – Discrepancies L4
Device
OS
HTTP
Network
Devices:
• PC
• Laptop
• Tablet
• Mobile
• IOT
• Cloud nodes
OS:
• Windows
• Linux
• MAC
• Android
Networking:
• ISP
• Proxies
• VPN / Tor
• WiFi
HTTP:
• CLI tool
• Browser
• Frameworks
Fingerprint
Browser
Screen
Discrepancies:
• Browser = firefox
• Screen = Wide
• OS = windows
• Device = PC
Opera/9.80 (Android 4.1.2; Linux; Opera
Mobi/ADR-1305251841) Presto/2.11.355
Version/12.10
JS injection results
Actual UA in request
Client interrogation II: Capabilities
Client
interrogation
70295
©

Source interrogation III– Source ID
Device
OS
HTTP
Network
Devices:
• PC
• Laptop
• Tablet
• Mobile
• IOT
• Cloud nodes
OS:
• Windows
• Linux
• MAC
• Android
Networking:
• ISP
• Proxies
• VPN / Tor
• WiFi
HTTP:
• CLI tool
• Browser
• Frameworks
Fingerprint
Browser
Screen
Source ID:
• Browser type, version
• Plugins
• Fonts
• OS
• Device
UR SID: 9883
Client
interrogation
70295
©

IP:Y
IP:X
IP:Z
Detections: Client interrogation - SID
IP:X SID: 9883
IP:X SID: 1253
IP:Y SID: 2873
IP:Z SID: 1151
IP:Z SID: 4948
IP:Z SID: 2222
SID: 9883
SID: 1253
SID: 2873
SID: 1151 SID: 4948
SID: 2222
Bidning IP/SID – measuring
Client interrogation
70295
©

TRAPS -> DETECTIONS:
Signatures - Pattern matching
Anomaly - Aggregation and thresholds
Client Interrogation - HTTP client inspection
Restrictions - Allow / Block lists
70295
Part of:
©

SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
WEB CLIENTS
Protocol
Payload
User input
Traps
Parser Enforcer
Part of:
70295
©

• Alert – GUI
• Alert – Log
• SMS
• Instant messaging
• Email
ALERT
To: WAF admin
▪ DASHBOARD – ALERT / CRITICAL
▪ GRAPHS – VISUAL
▪ STATISTICS – TABLES
▪ LOGS – REQUEST LOGS
Browse
r
User
IP
70295
©

• Alert – GUI
• Alert – Log
• SMS
• Messaging – slack
• Email
Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
TCP FIN / RESET Semi blocking:
Stripping / Cloaking
ALERT
Browse
r
BLOCK
This request has been blocked
To: WAF admin
To: End Users
Part of:
Drop connection
70295
©

Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
TCP FIN / RESET
Semi blocking:
Stripping / Cloaking
Browse
r
BLOCK
This request has been blocked
To: End Users
Drop connection
▪ Affective
70295
©

• Limiting rate of RPS on specific IP
• Limiting RPS on site
• Limiting RPS on specific URL
• Limiting time
• Limiting access – 4 hours ban
LIMIT
Part of:
IP
q
search.php
index.php
IP
Advantages
▪ Delay attack
▪ Mix traffic good and bad
▪ Less aggressive then blocking
▪ Typically works on anomalies
70295
©

Send users to honeypot for inspections
Resent browser to main page
FOLLOW UP
Part of:
Advantages
▪ Delay attack
▪ Mix traffic good and bad
▪ Less aggressive then blocking
▪ Typically works on anomalies
70295
©

• Limiting rate of RPS on specific IP
• Limiting RPS on site
• Limiting RPS on specific URL
• Limiting time
• Limiting access – 4 hours ban
Send users to honeypot for inspections
Resent browser to main page
LIMIT
FOLLOW UP
Part of:
70295
©

3. REPORTING
1. DATA PLANE
2. CONTROL PLANE
GUI API CONFIG File
WAF STRUCTURE
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT INTERROGATION
Alert
Block
Limit
Follow Up
Protocol
Payload
User Input
Traps
Parser Enforcer
Graphs Stats Request LOG
Dashboard
ISO
Part of:
ENTITIES DETECTIONS PREVENTION
70295
©

https://SIRT.club
By: Lior Rotkovitch
“Man’s biggest obstacle is he himself” LR
▪ Email: lior.rotkovitch@gmail.com
▪ Twitter: @rotkovitch
▪ LinkedIn: Lior Rotkovitch
▪ Instagram: l.rotkovitch
70295
Practical Defensive Security
for Security Engineers
©
70295
©

The WAF book intro protection elements v1.0 lior rotkovitch

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à The WAF book intro protection elements v1.0 lior rotkovitch

Similaire à The WAF book intro protection elements v1.0 lior rotkovitch (20)

Plus de Lior Rotkovitch

Plus de Lior Rotkovitch (15)

Dernier

Dernier (20)

The WAF book intro protection elements v1.0 lior rotkovitch