Successfully reported this slideshow.

More Related Content

Related Audiobooks

Free with a 14 day trial from Scribd

See all

WAFFLE - A Web Application Firewall that defies rules

  1. 1. WAFFLE – A web application firewall that defies rules 1 WAFFLE – A Web Application Firewall that defies rules A thesis written by Dimitrios Gkizanis Department of Digital Systems University of Piraeus Student Registration Number: E11024 Supervisor: Dr. Christos Xenakis
  2. 2. WAFFLE – A web application firewall that defies rules 2 Table of Contents Abstract…………………………………………………………………………………………………….5 1. Web Application Firewall……………………………………………………………………….6 1.1 Definition……………………………………………………………………………….6 1.2 Architecture……………………………………………………………………………7 1.3 Advantages…………………………………………………………………………….9 1.4 Disadvantages………………………………………………………………………..10 1.5 Conclusion………………………………………………………………………………11 2. Web Application Security………………………………………………………………………13 2.1 Introduction……………………………………………………………………………13 2.2 Injection Attacks…………………………………………………………………….15 2.2.1 SQL Injection…………………………………………………………….15 2.2.2 Command Injection…………………………………………………..17 2.3 Cross-Site Scripting…………………………………………………………………20
  3. 3. WAFFLE – A web application firewall that defies rules 3 2.4 File Inclusion…………………………………………………………………………..21 2.5 Null Byte Injection………………………………………………………………….22 2.6 Malicious Access…………………………………………………………………….24 2.6.1 Proxy Servers………………………………………………………………24 2.6.2 TOR…………………………………………………………………………….26 2.7 Distributed Denial of Service………………………………………………….29 2.8 Brute Force Attacks………………………………………………………………..31 3.WAFFLE…………………………………………………………………………………………………..34 3.1 Open Source WAFs and their weaknesses a.k.a Related Work/Motivation……………………………………………………………………………………….34 3.1.1 ModSecurity and other existing solutions………………....34 3.1.2 Motivation to develop WAFFLE………………………………….35 3.1.3 The problem with the ruleset mode of operation………36 3.1.4 More cons of the existing solutions……………………………37 3.2…..Let's talk about WAFFLE a.k.a Innovation…………………………..38 3.2.1 Why WAFFLE-The dawn of the virtual sanitizing………..38 3.2.2 How does virtual sanitizing works?..............................39
  4. 4. WAFFLE – A web application firewall that defies rules 4 3.2.3 Dealing with DOM-based XSS…………………………………………40 3.2.4 Dealing with injection attacks and fooling the attackers…41 3.2.5 Dealing with Distributed Denial of Service………………….....42 3.2.6 Dealing with possible malicious access…………………………..42 3.2.7 Dealing with the known automated tools………………………43 3.2.8 Forcing HTTPS………………………………………………………………..44 3.2.9 Saving our resources………………………………………………………44 3.2.10 Protecting our files and directories…………………………......44 3.2.11 WAFFLE over the existing WAFs……………………………………45 3.2.12 The shortest installation guide ever……………………………..46 Conclusion………………………………………………………………………………………………………47 References………………………………………………………………………………………………………48 Appendix…………………………………………………………………………………………………………51
  5. 5. WAFFLE – A web application firewall that defies rules 5 Abstract Nowadays, web application security is at crisis. Our applications are constantly compromised by skilled attackers who steal our information mostly for money and there is nothing we can do about it. The existing security solutions are trying to solve the problem but the outcome is that the attackers are always able to overcome them because they have something we don’t except for expertise. Time. A pretty reliable solution in order to protect our web applications is the use of a web application firewall but the existing ones are pretty prone to bypassing. One of the reasons why this happens is because they use a ruleset of regular expressions which we will discuss later why this is not a very useful mode of operation. With this crisis remaining, I decided to develop a web application firewall which is going to make it extremely difficult to the attackers to bypass and compromise our information which is called WAFFLE. WAFFLE is a web application firewall which actually defies rules by using another mode of operation which is very innovative and effective against almost every web attack.
  6. 6. WAFFLE – A web application firewall that defies rules 6 1. Web Application Firewall 1.1 Definition In today’s society and especially in the computer security society it is common knowledge that web applications are under attack. As Sarwate said in 2008, web applications continue to be a prime vector of attack for criminals, and the trend shows no sign of abating; attackers increasingly shun network attacks for cross-site scripting, SQL injection, and many other infiltration techniques aimed at the application layer. Poor input validation, insecure session management, configured system settings that haven’t been modified properly and flaws in operating systems and web server software are pretty responsible for web application vulnerabilities. In order to minimize and exterminate these vulnerabilities, the most common strategy is secure coding. However, it is very difficult to write secure code and this strategy hides many critical issues. At first, most organizations lack the staff or budget in order to making code reviews so as to eliminate possible errors. Secondly, there is so much pressure to the developers because their supervisors need those applications sooner and that causes errors by rush so the security measures taken in the code are just minimal or zero. Third, we observe that software used to
  7. 7. WAFFLE – A web application firewall that defies rules 7 analyze web application vulnerabilities are upgrading constantly; the human error seems to be a very influential factor that causes a lot of security holes inside the application. One of the most effective technologies that can enhance a web application infrastructure’s security is a web application firewall. A web application firewall (WAF) is an appliance or server application that watches http/https conversations between a client browser and web server at layer 7 according to OWASP. The WAF can enforce security using signatures of already known attacks, protocol standards and suspicious application traffic. 1.2 Architecture Typically, WAF sits directly behind the web application we want to protect and in front of the application’s web servers. With this architecture the can always operate in-line with all the traffic flowing through them. However, there are solutions that can be “out of band” using a network monitoring port. Though organizations usually use host or server based WAF applications which are installed directly onto corporate web servers and provide similar feature sets by processing traffic before it reaches the web server or application. WAFs follow two security models which vary with the preference of the organization. A positive security model blocks all the traffic except of the traffic known as good. On the opposite, a negative security model allows all traffic and attempts to block that which is possibly malicious. As Young suggested in 2008, a WAF using a positive security model typically
  8. 8. WAFFLE – A web application firewall that defies rules 8 requires more configuration and tuning, while a WAF with a negative security model will rely more on behavioral learning capabilities. Web Application Firewalls have several modes of operation that vary in case of what is needed for the organization they are about to be installed. The full reverse proxy mode is the most common and feature rich deployment in the web application firewall space. While in reverse proxy mode a device sits in line and all network traffic passes through the WAF. The WAF has published IP addresses and all incoming connections terminate at these addresses. The WAF then makes requests to back end web servers on behalf of the originating browser. This mode is often required for many of the additional features that a WAF may provide due to the requirement for connection termination. The downside of a reverse proxy mode is that it can increase latency which could create problems for less forgiving applications. When used as a transparent proxy, the WAF sits in line between the firewall and web server and acts similar to a reverse proxy but does not have an IP address. This mode does not require any changes to the existing infrastructure, but cannot provide some of the additional services a reverse proxy can. Another mode of operation is using a layer-2 bridge. The WAF sits in line between the firewall and web servers and acts just like a layer 2 switch. This mode provides high performance and no significant network changes, however does not provide the advanced services other WAF modes may provide.
  9. 9. WAFFLE – A web application firewall that defies rules 9 In the out-of-band mode, the WAF is not in line and watches network traffic by sniffing from a monitoring port. This mode is ideal for testing a WAF in your environment without impacting traffic. If desired, the WAF can still block traffic in this mode by sending TCP resets to interrupt unwanted traffic. Host or server based WAFs are software applications which are installed on web servers themselves. Host based WAFs do not provide the additional features which their network based counterparts may provide. They do, however, have the advantage of removing a possible point of failure which network based WAFs introduce. Host based WAFs do increase load on web servers so organizations should be careful when introducing these applications on heavily used servers. 1.3 Advantages The main benefit of a WAF is the effective protection of web applications with a reasonable amount of effort and without having to change the application itself. On the one hand, the WAF protects against known attacks or vulnerabilities based on blacklists: The data security standard of the credit card industry for example, in its current version prescribes the use of a WAF - as an alternative to regular code reviews by a specialist - as an adequate measure to protect web applications. The WAF is therefore a suitable tool for attaining industrial standards as well as fulfilling legal requirements.
  10. 10. WAFFLE – A web application firewall that defies rules 10 The use of a WAF becomes especially relevant in the case of concrete vulnerabilities, for example uncovered via penetration tests or source code reviews. Even if it were possible to fix the vulnerability in the application promptly and with a reasonable amount of effort, the modified version can generally only be deployed at the next maintenance interval, often 2-4 weeks later. For a WAF with whitelisting, the vulnerability can be fixed promptly (hotfix), so that it cannot be exploited before the next scheduled maintenance. WAFs are especially fast in this aspect, meaning they can collaborate with source code analysis tools, so that detected external vulnerabilities can automatically result in a recommended rule set for the WAF. A WAF is particularly important in securing productive web applications which themselves in turn consist of multiple components and which cannot be quickly changed by the operator; e.g. in the case of poorly documented applications or regarding third-party products without sufficient maintenance cycles. A WAF is the only option for promptly closing external vulnerabilities. 1.4 Disadvantages Changes in the existing IT, web and any application infrastructure are required when using a WAF. Depending on the WAF’s implementation - e.g. hardware appliance vs. embedded WAF - there are also additional tasks and risks:  Yet-another-proxy argument  Organizational tasks
  11. 11. WAFFLE – A web application firewall that defies rules 11  Training the WAF o On each new release of the web application o Testing  False positives (which may have a significant business impact)  More complex troubleshooting o WAFs also have/generate errors o Responsibility for system-wide error situations  Any potential effect on the web application if the WAF terminates the application session, for example  Cost-effectiveness Furthermore, Web Application Firewalls are unable to prevent session hijacking (it can only issue an alarm in the event of irregularities or terminate a session with changing IP). Another issue that exists in using Web Application Firewall rules is that its rules can risk false positives something very problematic with business critical applications in particular. 1.5 Conclusion In order to combat the ever changing world of cyber attacks, web application firewalls themselves have to become more intelligent. This need for more predictive and innovative technology spawned web security vendors to create logic analysis based web application firewall software. Next generation WAF vendors have started to implement a non-signature
  12. 12. WAFFLE – A web application firewall that defies rules 12 detection methodology that aims to analyze web traffic based on a litany of search parameters and detection rules. This can be a more effective means of identifying malicious web attacks with the ability to increase accuracy, provide lower false positive readings, and intelligently predict new and modified web attacks. Understanding the intricacies of web hacking can be complicated and most major media publications do not do enough to raise awareness of cyber security. More specifically, they do not provide enough adequate or specific instructions on how to properly protect your website and personal data from being exploited. Whether you own an online business or have a casual website, it is important to ensure the protection of all personal or customer related data left on the site. In addition to following industry best practices to avoid web hacking (such as changing passwords often, avoiding suspicious email links, etc.), using a strong web application firewall can be the most effective way to safeguard the traffic that is redirected to your website.
  13. 13. WAFFLE – A web application firewall that defies rules 13 2. Web Application Security 2.1 Introduction According to Wikipedia (The Free Encyclopedia) Web application security is defined as a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. The aim of Web application security is to identify the following:  Critical assets of the organization  Genuine users who may access the data  Level of access provided to each user  Various vulnerabilities that may exist in the application  Data criticality and risk analysis on data exposure  Appropriate remediation measures
  14. 14. WAFFLE – A web application firewall that defies rules 14 Web application security also aims to address and fulfill the four conditions of security, also referred to as principles of security:  Confidentiality: States that the sensitive data stored in the Web application should not be exposed under any circumstances.  Integrity: States that the data contained in the Web application is consistent and is not modified by an unauthorized user.  Availability: States that the Web application should be accessible to the genuine user within a specified period of time depending on the request.  Nonrepudiation: States that the genuine user cannot deny modifying the data contained in the Web application and that the Web application can prove its identity to the genuine user. The process of security analysis runs parallel with Web application development. The group of programmers and developers who are responsible for code development are also responsible for the execution of various strategies, post-risk analysis, mitigation and monitoring. In this chapter we are about to have a look to common web security threats as they are defined from multiple sources in order to have a better understanding how to stop them using web application firewalls.
  15. 15. WAFFLE – A web application firewall that defies rules 15 2.2 Injection Attacks 2.2.1 SQL Injection SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. By leveraging an SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database, affecting data integrity. In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query. In order for an SQL injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
  16. 16. WAFFLE – A web application firewall that defies rules 16 The two most common types of in-band SQL injection are Error-based SQLi and Union- based SQLi. Error-based SQLi is an in-band SQL injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead. Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. The two types of inferential SQL injection are Blind-boolean-based SQLi and Blind-time- based SQLi. Boolean-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
  17. 17. WAFFLE – A web application firewall that defies rules 17 Time-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character. Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time- based attack unreliable). 2.2.2 Command Injection OWASP defines Command injection as an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command
  18. 18. WAFFLE – A web application firewall that defies rules 18 injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. Essentially, command injection attacks can occur when a web application executes system commands – say – a web application that runs nslookup queries for you. If the input that is passed to the shell command is not correctly sanitized, an attacker can *inject* extra shell commands and have your application run them under the privileges of the web application – normally the privileges of the web-server. Put simply, it means the attacker can execute commands on your box, leading to total system compromise. Yes, this is a very serious vulnerability. In order to explain all of this thoroughly is to show exactly what it takes to the attacker to run a command in your box which takes place with the use of operators. The most common of them are the redirection operators (<, >>, >), the pipes (|), the inline commands (;,$) and the logical operators (&&, ||).
  19. 19. WAFFLE – A web application firewall that defies rules 19 Here are the expected results from a number of common injection patterns (appending the below to a given input string, assuming all quotes are correctly paired:  `shell_command` - executes the command  $(shell_command) - executes the command  | shell_command - executes the command and returns the output of the command  || shell_command - executes the command and returns the output of the command  ; shell_command - executes the command and returns the output of the command  && shell_command executes the command and returns the output of the command  > target_file - overwrites the target file with the output of the previous command  >> target_file - appends the target file with the output of the previous command  < target_file - send contents of target_file to the previous command  - operator - Add additional operations to target command
  20. 20. WAFFLE – A web application firewall that defies rules 20 These examples are only scratching the surface of possible command injection vectors. One of the best automated tools in order to perform a command injection attack is commix. 2.3 Cross-Site Scripting Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. At first, the ability to execute JavaScript in the victim's browser might not seem particularly malicious. However, the possibility of JavaScript being malicious becomes clearer when you consider several facts. At first, the fact that JavaScript has access to cookies which are very critical information and that it can make arbitrary modifications to the XMLHttpRequest and other mechanisms. These two facts combined can cause very serious security breaches. While the goal of an XSS attack is always to execute malicious JavaScript in the victim's browser, there are few fundamentally different ways of achieving that goal. XSS attacks are often divided into three types:
  21. 21. WAFFLE – A web application firewall that defies rules 21  Persistent XSS, where the malicious string originates from the website's database.  Reflected XSS, where the malicious string originates from the victim's request.  DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code. There is a special case of DOM-based XSS in which the malicious string is never sent to the website's server to begin with: when the malicious string is contained in a URL's fragment identifier (anything after the # character). Browsers do not send this part of the URL to servers, so the website has no way of accessing it using server-side code. The client-side code, however, has access to it and can thus cause XSS vulnerabilities by handling it unsafely. This situation makes it very difficult for Web Application Firewalls to detect and prevent DOM-based XSS attacks because they provide server side protection. At least until now. 2.4 File Inclusion A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by making use of the ‘include’ functionality. This vulnerability is mainly due to a bad input validation mechanism, wherein the user’s input is passed to the file include commands without proper validation. The
  22. 22. WAFFLE – A web application firewall that defies rules 22 impact of this vulnerability can lead to malicious code execution on the server or reveal data present in sensitive files, etc. RFI allows an attacker to include and execute a remotely hosted file using a script by including it in the attack page. The attacker can use RFI to run a malicious code either on the client side or on the server. The impact of this attack can vary from temporary theft of stealing session tokens or data when the target is client, to complete compromise of the system when the target is the application server. The local file inclusion vulnerability is a process of including the local files available on the server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters and retrieve sensitive files available in other directories. From the above information we can conclude that the file inclusion attacks can be at times more harmful than SQL injection, etc — therefore there is a great need to remediate such vulnerabilities. And proper input validation is the only key to avoid such vulnerabilities. 2.5 Null Byte Injection Null Byte Injection is an active exploitation technique used to bypass sanity checking filters in web infrastructure by adding URL-encoded null byte characters (i.e. %00, or 0x00 in
  23. 23. WAFFLE – A web application firewall that defies rules 23 hex) to the user-supplied data. This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files. Most web applications today are developed using higher-level languages such as, PHP, ASP, Perl, and Java. However, these web applications at some point require processing of high- level code at system level and this process is usually accomplished by using ‘C/C++’ functions. The diverse nature of these dependent technologies has resulted in an attack class called ‘Null Byte Injection’ or ‘Null Byte Poisoning’ attack. In C/C++, a null byte represents the string termination point or delimiter character which means to stop processing the string immediately. Bytes following the delimiter will be ignored. If the string loses its null character, the length of a string becomes unknown until memory pointer happens to meet next zero byte. This unintended ramification can cause unusual behavior and introduce vulnerabilities within the system or application scope. In similar terms, several higher-level languages treat the ‘null byte’ as a placeholder for the string length as it has no special meaning in their context. Due to this difference in interpretation, null bytes can easily be injected to manipulate the application behavior. URLs are limited to a set of US-ASCII characters ranging from 0x20 to 0x7E (hex) or 32 to 126 (decimal)[5][8]. However, the aforementioned range uses several characters that are not permitted because they have special meaning within HTTP protocol context. For this reason, the URL encoding scheme was introduced to include special characters within URL using the extended ASCII character representation. In terms of “null byte”, this is represented as %00 in
  24. 24. WAFFLE – A web application firewall that defies rules 24 hexadecimal. The scope of a null byte attack starts where web applications interact with active ‘C’ routines and external APIs from the underlying OS. Thus, allowing an attacker to manipulate web resources by reading or writing files based on the application's user privileges. 2.6 Malicious Access 2.6.1 Proxy Access A proxy server is a computer or usually set of computers that act as an intermediary between a client computer and a web server. It enables client computers to make indirect requests through it for resources or services such as web pages, videos, PDF files, etc. Here’s how it works: A client contacts the proxy server, requests a file, web page or other resource from a different server. If the proxy server has the requested file or web page in
  25. 25. WAFFLE – A web application firewall that defies rules 25 its cache, the proxy server returns the file or web page to the client. Otherwise, it connects to the requested server, provides the client with the file or webpage, and then save it in its cache for use later. Because of their position between client and the requested resource, proxy servers can potentially alter a client’s request or the server’s response. Caching Web proxies can speed up access to frequently accessed web pages, by building a cache of frequently requested web pages or files. By speeding up the network traffic, it also provides needed reliefs to server load. After getting a client’s request for a website URL or file, the proxy first looks in its own cache. If the data is in the cache, this immediately goes to the requesting client. When you use a proxy server, your computer or a mobile device is essentially entering the Internet via a server and an IP address different from your own. Web browsers tend to use proxy servers to access restricted content not made available to their host servers. But despite the pre-mentioned apparent benefits, however, use of a proxy server as an Internet gateway entails a number of potential risks. It is likely you will encounter more banners and ads when you connect to the Internet via a proxy server than otherwise. When you connect to a proxy server, a session is assigned for your online engagements. However, very often, server providers stuff your session with ad links with an objective to generate advertising revenue. Even worse, proxy providers
  26. 26. WAFFLE – A web application firewall that defies rules 26 can infiltrate your session with viruses and spam, which you may inadvertently download and cause fatal damage to your computer. When you use a proxy server you're essentially surrendering your host name to an often unknown third party. In other words, you may use someone else's IP address to browse the Internet, but you're submitting and exposing your own address for potential abuse. For instance, someone may use your identity as a proxy to conduct nefarious and illegal activities on the Internet. Further, without your knowledge or consent, proxy providers may handover or sell your IP address to others such as marketers or law enforcement. Thus, proxies can result in severe breach and abuse of your Internet identity. Even a well-intended proxy operation may not always deliver desired online security and speed. Hundreds and sometimes thousands of Web users rely on a single server to route data back and forth. Proxy servers require large amounts of bandwidth to sustain the burden of heavy traffic from multiple workstations. However, it costs money, labor and time to buy more bandwidth, install updated security patches and ease pressure that a server experiences. Hence, Web browsing via a proxy can often be agonizingly slow and almost always insecure. 2.6.2 Tor Access Tor is an acronym for “The Onion Router”. It is so named because it works by wrapping your request in several layers of encryption and then sending this request through an
  27. 27. WAFFLE – A web application firewall that defies rules 27 automatically generated chain of nodes. At some point, the request must be unwrapped to be sent to its final destination because most people are trying to communicate with an ordinary online service that doesn’t understand Tor’s methods. The Tor node that performs the final unwrapping is called an exit node. The exit node decrypts the packet it received from its sibling on the chain of nodes and receives your full, plaintext request, which it submits on your behalf to the intended destination. The exit node waits for the response, encrypts it, and sends the encrypted response back up through the node chain until it reaches you, the dear user and the termination of the chain, where your Tor client decrypts the packet from your chain-sibling and presents your client with a comprehensible piece of data. There is no way to restrict what an exit node can do with your session’s plaintext, and anyone can run an exit node. There is no qualification process and there are no restrictions. Barack Obama could be running an exit node within minutes, and so could Edward Snowden, and there’d be no way for either of them to ensure that the other couldn’t see the requests they were sending. The user simply checks a box in Vidalia and he’s running an exit node, relaying plaintext data between conversants. Exit nodes automatically change every few minutes, so many exit nodes will be relaying pieces of your conversation, possibly re-exposing sensitive data to many entities over the course of a single session. Anyone running a Tor exit node is a potential listener. The Tor project attempts to scare exit node operators straight by citing the possibility of prosecution under wiretap laws, but this is a purely legal restriction; under Tor’s design,
  28. 28. WAFFLE – A web application firewall that defies rules 28 there is no possible technical implementation that would prevent the exit node operator from being able to save both incoming and outgoing messages as sent between conversants. Only the threat of prosecutorial pressure (which is basically non-existent for certain parties) stands betwixt an exit node operator and your data. Thus, Tor is extremely dangerous for the ordinary user. It must be used only for specific, carefully-planned sessions, or you risk exposing sensitive personal data to anyone running an exit node. Tor was built for a specific purpose, which was the circumvention of restrictive firewalls. The default example is China; Tor could be used by Chinese dissidents to post or access information that is censored in China, but available in the “free world”. Tor would make it impossible for the Chinese government to tell which computer was used to post a certain piece of information, and would hide the fact that other information was being accessed at all. Tor is meant as a lifeline to the outside world. Tor actually makes it much easier to spy on random conversations between entities, if you’re into that kind of thing (and the government obviously is), because the idea is to get public information in and out of a locked-down environment. And it works very well for that. With this in mind, it’s ironic to look back on the way that certain persons have clung to Tor as a solution to domestic spying, because in actual fact, Tor makes such spying easier for an adversary that is only slightly removed from many of Tor’s biggest participants (universities), and opens the user’s traffic up to the possibility of tampering or recording from a potentially infinite collection of more ignominious foes.
  29. 29. WAFFLE – A web application firewall that defies rules 29 2.7 Distributed Denial of Service A Denial of Service (DoS) attack is an attack with the purpose of preventing legitimate users from using a specified network resource such as a website, web service, or computer system. A Distributed Denial of Service (DDoS) attack is a coordinated attack on the availability of services of a given target system or network that is launched indirectly through many compromised computing systems. The services under attack are those of the “primary victim”, while the compromised systems used to launch the attack are often called the “secondary victims.” The use of secondary victims in a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack while remaining anonymous since the secondary victims actually perform the attack making it more difficult for network forensics to track down the real attacker. There are two main classes of DDoS attacks: bandwidth depletion and resource depletion attacks. A bandwidth depletion attack is designed to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the primary victim. A resource depletion attack is an attack that is designed to tie up the resources of a victim system making the victim unable to process legitimate requests for service. A flood attack involves zombies sending large volumes of traffic to a victim system, to congest the victim system’s network bandwidth with IP traffic. The victim system slows down, crashes, or suffers from saturated network bandwidth, preventing access by
  30. 30. WAFFLE – A web application firewall that defies rules 30 legitimate users. Flood attacks have been launched using both UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) packets. In a UDP Flood attack, a large number of UDP packets are sent to either random or specified ports on the victim system. The victim system tries to process the incoming data to determine which applications have requested data. If the victim system is not running any applications on the targeted port, it will send out an ICMP packet to the sending system indicating a “destination port unreachable” message. In a DDoS TCP SYN attack, the attacker instructs the zombies to send bogus TCP SYN requests to a victim server in order to tie up the server’s processor resources, and hence prevent the server from responding to legitimate requests. The TCP SYN attack exploits the three-way handshake between the sending system and the receiving system by sending large volumes of TCP SYN packets to the victim system with spoofed source IP addresses, so the victim system responds to a non-requesting system with the ACK+SYN. When a large volume of SYN requests are being processed by a server and none of the ACK+SYN responses are returned, the server eventually runs out of processor and memory resources, and is unable to respond to legitimate users. Often, the attacking DDoS tool will also spoof the source IP address of the attacking packets. This helps hide the identity of the secondary victims since return packets from the victim system are not sent back to the zombies, but to the spoofed addresses. UDP flood attacks may also fill the bandwidth of connections located around the victim system. This often impacts systems located near the victim.
  31. 31. WAFFLE – A web application firewall that defies rules 31 Some DDoS attack tools also make use of encrypted communication within the DDoS attack network. Agent-handler DDoS attacks might use encrypted communications either between the clienthandlers and/or between the handlers-agents. IRC-based DDoS attacks may use either a public, private, or secret channel to communicate between the agents and the handlers. Both private and secret IRC channels provide encryption; private channels (not the data or users) appear in the IRC server’s channel list but secret channels do not. 2.8 Brute Force The brute-force attack is still one of the most popular password cracking methods. Nevertheless, it is not just for password cracking. Brute-force attacks can also be used to discover hidden pages and content in a web application. This attack is basically “a hit and try” until you succeed. This attack sometimes takes longer, but its success rate is higher. In this article, I will try to explain brute-force attacks and popular tools used in different scenarios for performing brute-force attack to get desired results. Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, it will take more time, but there is better probability of success. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can
  32. 32. WAFFLE – A web application firewall that defies rules 32 be used as a password. Then the attacker tries these passwords one by one for authentication. If this dictionary contains the correct password, attacker will succeed. In traditional brute-force attack, attacker just tries the combination of letters and numbers to generate password sequentially. However, this traditional technique will take longer when the password is long enough. These attacks can take several minutes to several hours or several years depending on the system used and length of password. To prevent password cracking by using a brute-force attack, one should always use long and complex passwords. This makes it hard for attacker to guess the password, and brute- force attacks will take too much time. Most of the time, WordPress users face brute-force attacks against their websites. Account lock out is another way to prevent the attacker from performing brute-force attacks on web applications. However, for offline software, things are not as easy to secure. Similarly, for discovering hidden pages, the attacker tries to guess the name of the page, sends requests, and sees the response. If the page does not exist, it will show response 404 and on success, the response will be 200. In this way, it can find hidden pages on any website. Brute-force is also used to crack the hash and guess a password from a given hash. In this, the hash is generated from random passwords and then this hash is matched with a target hash until the attacker finds the correct one. Therefore, the higher the type of encryption (64- bit, 128-bit or 256-bit encryption) used to encrypt the password, the longer it can take to break.
  33. 33. WAFFLE – A web application firewall that defies rules 33 A reverse brute-force attack is another term that is associated with password cracking. It takes a reverse approach in password cracking. In this, attacker tries one password against multiple usernames. Think if you know a password but do not have any idea of the usernames. In this case, you can try the same password and guess the different user names until you find the working combination. Brute-forcing is the best password cracking methods. The success of the attack depends on various factors. However, factors that affect most are password length and combination of characters, letters and special characters. This is why when we talk about strong passwords; we usually suggest users to have long passwords with combination of lower-case letters, capital letters, numbers, and special characters. It does not make brute-force impossible but it makes brute-force difficult. Therefore, it will take a longer time to reach to the password by brute-forcing. Almost all hash cracking algorithms use the brute-force to hit and try.
  34. 34. WAFFLE – A web application firewall that defies rules 34 3.WAFFLE In this chapter we will talk about WAFFLE which is a Web Application Firewall that I developed for this thesis under my professor Dr. Christos Xenakis. But before we start talking about WAFFLE we must look how other security oriented organizations dealt with web application security in our days. 3.1 Common Open Sources WAFs and their weaknesses a.k.a Related Work/Motivation 3.1.1 ModSecurity and other existing solutions The most common open source WAF everyone will encounter is SpiderLabs’s ModSecurity. ModSecurity is a web application layer firewall that supplies an array of request filtering and other security features to the Apache HTTP Server, IIS and NGINX. ModSecurity is free software released under the Apache license 2.0. ModSecurity is one of the Apache server modules that provides website protection by defending from hackers and other malicious attacks. It is a set of rules with regular expressions that helps to instantly ex-filtrate the
  35. 35. WAFFLE – A web application firewall that defies rules 35 commonly known exploits. Modsecurity obstructs the processing of invalid data (code injection attacks) to reinforce and nourish server's security. ModSecurity is an example in this particular thesis for every WAF that uses a ruleset and the same points we are about to mention about ModSecurity are also true about other WAFs with the same mode of operation like AQTRONIX WebKnight, Profence, PHP-IDS and OpenWAF. 3.1.2 Motivation to develop WAFFLE In this point I’d like to mention that the main purpose that drove me to pick this particular subject for this thesis is a paper that was written in September 2015 by Mazin Ahmed, a security specialist. This paper was about how he managed to evade all Web Application Firewall XSS filters in every popular Web Application Firewall, in order to prove that there is no effective way to protect against a vulnerability other than fixing its root cause. While reading it, I realized that these famous WAFs , open source or not, were unable to protect web applications even from the simplest XSS attacks and so – as a security enthusiast and future analyst – I wanted to develop a Web Application Firewall that was going to change that and every organization could use it to protect their information. In chapter 2, we analyzed every popular web application attack and how they operate in order to compromise our web applications. Most of the famous Web Application Firewalls
  36. 36. WAFFLE – A web application firewall that defies rules 36 can block most of the attacks mentioned above and specifically for the injection techniques they achieve that by using a ruleset and blocking specific characters and regular expressions which can be proven malicious for our web infrastructure. But I think that having a ruleset and blocking specific requests can create other problems which may do no harm on a security level potentially but can cause trouble in the operation of our web applications. 3.1.3 The problem with the ruleset mode of operation At first, having a ruleset is not safe for the inexperienced users because they may miss something in the configuration process (if they are lucky enough to get to it) and make the web application easier to be compromised. The same problem remains for the experienced users as if you have a large ruleset on your Web Application Firewall it is very easy for them to say that they may not going to need a rule or forget to put it because of confidence. Second, this process is really slow because the WAF has to control every single input and may cause a flood on the server for many requests that are sent on a small amount of time. This makes our web application very slow and the users of the application will not have proper quality of service. Third, this may create a lot of false positives and again the quality of service is going to be pretty low. For example, if we block the “<” character which is commonly used for XSS attacks, the page will not be displayed for someone who just wants to write on a dialog box this
  37. 37. WAFFLE – A web application firewall that defies rules 37 “<” in a mathematics forum. The request is going to be legit but it will still be blocked. The same goes from the admin side if i.e. he wants to write a query as an input in the url about searching for a specific value in the database, it will be blocked from the WAF in order to perform SQL injection protection. Fourth, it is impossible to defeat DOM-based XSS attacks by a 100% while using rules. As we’ve seen before, DOM-based XSS attacks use a server-side flaw and they execute the payload in the response page. So even if the request is blocked the payload is going to pass as legit. This is proven by the paper that Mr. Ahmed wrote as he found multiple DOM-based XSS attacks in every popular Web Application Firewall. 3.1.4 More cons of the existing solutions Another problem for the mentioned above WAFs are yet to solve is about how to deal with DDoS attacks. In 2013, ModSecurity had been found twice vulnerable to DDos attacks as suggested. These attacks were allowed by the WAF as attackers caused a denial of service using a POST request the first time and an XML external entity declaration in conjunction with an entity reference(XXE vulnerability) the second time. As Mr. Ahmed suggested, the same firewall was vulnerable in XSS attacks and specifically with payloads like <a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a> or ¼script¾alert(¢xss¢)¼/script¾ .
  38. 38. WAFFLE – A web application firewall that defies rules 38 Last but not least, ModSecurity doesn’t provide a specific installation guide and as it is, it is very difficult to install it being an experienced user or not. I had a personal experience with this WAF because it took me at least two weeks to install it and having no problems so I guess this is going to be a heavy weight for the inexperienced users who want to protect their web application. In conclusion, in my opinion these existing solutions fail their purposes in both information security and quality of service because of the use of the traditional mode of operation which is the ruleset. As we explained above, using a ruleset can create more problems than solve and I think that in order to go forward to a modern web application security model we have to get rid of this deployment in web application firewalls and think of a new one. This new model is going to be something I call <<virtual sanitizing>>. 3.2 Let’s talk about WAFFLE a.k.a Innovation 3.2.1 Why WAFFLE – The dawn of the virtual sanitizing WAFFLE stands for Web Application Firewall For Limited Exploitation and it was developed in PHP with its first stable release on the 6th of April. The limited exploitation part comes from the fact that as a security engineer I can safely say that no system or infrastructure in general is safe so WAFFLE can only limit the exploitation at least for every known web attack.
  39. 39. WAFFLE – A web application firewall that defies rules 39 But why WAFFLE is better in dealing with security threats than the existing solutions? The answer to that is simple. WAFFLE does not have a ruleset while dealing with injection techniques and other types of attacks and it’s the first solution that has a security model based on virtual sanitizing. Virtual sanitizing is a technique that instead of blocking the request when it spots a special character or regular expression in order to stop the attack, it lets the request pass but before the output is given it converts every character on the payload into the respective html encoded character. 3.2.2 How does virtual sanitizing works? In PHP, there is a function called htmlentities() which does this job exactly replacing all the characters into html code. The attacker injects a malicious payload on our url and we replace every character into html code from the server side so the outcome of the payload is going to be just useless trash code. In example, if the attacker wants to perform the XSS attack through which ModSecurity was compromised and let WAFFLE deal with it the outcome would be a payload like this : &lt;a href=&quot;j[785 bytes of(&amp;NewLine;&amp;Tab;)]avascript:alert(1);&quot;&gt;XSS&lt;/a&gt; This payload does no harm to our system because it’s been completely sanitized from its malicious purpose.
  40. 40. WAFFLE – A web application firewall that defies rules 40 But the beauty of the virtual sanitizing is that the output appears to the user just like he expected it so this method creates no false positives. So if we put this “<” character on our dialog box in the mathematics forum from before, WAFFLE won’t see it as an attack, it will replace it with html code but the output is going to be this “<” character. By eliminating the false positives this web application firewall became just smarter than the other solutions as it now provides maximum security against these types of attacks and the output remains legit. Some attackers, first encode their input generally with base-64 encoding so when it is decoded it will operate the attack. But in that case this attempt will fail as long as WAFFLE has a mechanism of checking if a character is base-64 encoded and if it is, it decodes it and then it applies the htmlentities() function on it so the attack is successfully neutralized. 3.2.3 Dealing with DOM-based XSS Using this method, WAFFLE is the first web application firewall which can provide protection against DOM-Based XSS attacks. This happens because they can no longer find a server side flaw to operate because we are eliminating them from the server side by replacing every character in the payload. I contacted Mr. Mazin Ahmed about if he can find an XSS attack on a page protected by WAFFLE and his answer was: “Most attacks seems to be mitigated due to encoding. It follows the "virtual patching" on a new level that it is way better than normal WAFs, I personally love it.” He also suggested that he would let me know if he was able to find a way to bypass WAFFLE using XSS and he hasn’t contacted me yet.
  41. 41. WAFFLE – A web application firewall that defies rules 41 3.2.4 Dealing with injection attacks and fooling the attackers Using virtual sanitizing, WAFFLE is able to protect the web applications from most common known web threats like XSS attacks, SQL injections, command injections, local file intrusion, remote file intrusion and null byte attacks as we have seen how in this chapter. But there are many other threats as we mentioned on chapter 2 so WAFFLE needs a way to stop them too. Another great feature WAFFLE has is that it gives the opportunity to the administrator to put a maximum input limit on queries because plenty of automated tools use pretty long payloads, especially ones that do double encoding on the existing payload. With this way, the attacker is unable to recognize if there is a web application firewall installed on the web application he is attacking and this is very important because we all know hackers are problem solvers. If they don’t know what the problem is they can’t fix it. We could definitely for example put a 404 message in case of an XSS attack on our web application but then the attacker would know that something was wrong and that the page is protected with a web application firewall. With the virtual sanitizing method where the output comes legit, the attacker does not know what is wrong with his payload and that consumes from him the most important tool he has against us security analysts. Time.
  42. 42. WAFFLE – A web application firewall that defies rules 42 3.2.5 Dealing with Distributed Denial of Service WAFFLE provides a very effective protection against distributed denial of service attacks. The administrator of the web application is provided with two values called requests_limit and frequency respectively. With the requests_limit value he manages to put a limit of requests per user in a row in the frequency given value(which is counted in seconds/requests) and if the user violates the limit he will get banned through a mechanism with the use of iptables. This method of protecting against DDoS attacks can be easily used for brute force attack protection as well. The attackers usually use automated tools which make lots of requests in a short amount of time in order to get a username and password from the login form of our web applications so if they use these tools their IP will get banned from the web application and the attack will never be able to be completed. 3.2.6 Dealing with possible malicious access As we have seen on chapter 2, proxy servers and The Onion Routing are pretty useful but can be easily used for malicious purposes as well. WAFFLE can protect web application from
  43. 43. WAFFLE – A web application firewall that defies rules 43 these purposes by detecting a non anonymous proxy and a tor access and banning the IP involved from the web application. From the proxies side, WAFFLE has a list with http headers that can be detected if the user accessing our web application is using a proxy and ban him. From the onion routing side, WAFFLE creates a file that takes from this site:, which contains every IP from the TOR exit nodes and it is being updated constantly. With this way it cannot allow any TOR user to access our web application because it detects the IP and bans it. 3.2.7 Dealing with the known automated tools WAFFLE also can protect against multiple user agents which have no other intention but to harm our web application. In example, it blocks some user agents by default like sqlmap or acunetix which are very useful tools for experimental reasons but they can also perform an attack effectively. It also gives the opportunity to the administrator to block any other user agent he believes it can be harmful for his web application. Blocking these user agents, WAFFLE does not allow a request coming from them. So if an attacker uses sqlmap for example to test if a payload can be injected to our web application the request will just fail and the tool will become useless because WAFFLE will recognize sqlmap as a malicious user agent.
  44. 44. WAFFLE – A web application firewall that defies rules 44 3.2.8 Forcing HTTPS HTTPS is a protocol for secure communication over a computer network which is widely used on the internet. It has some features that can be found very useful in order to protect our web infrastructures from several attacks. WAFFLE has a mechanism which allows the administrator to force the users to use https while they communicate with their web application. 3.2.9 Saving our resources Nowadays, there are plenty of tools that can overload our servers on our web applications and make them unable to manage the requests and as a result the quality of service of our application is decreased. WAFFLE provides an excellent feature to the application administrator which lets him put a CPU load average limit and if the limit is met, the application will shut down without initializing other services, like SQL, which can use more resources. 3.2.10 Protecting our files and directories But one of the most amazing features I think WAFFLE has is an extra authentication in case of sensitive files or directories. WAFFLE lets the administrator to choose a username and password to for every file or directory which have on their name the words ‘admin’,
  45. 45. WAFFLE – A web application firewall that defies rules 45 ‘administrator’, ‘manager’ and ‘manage’. With this feature, even if the attacker gains administrator rights, he will definitely need another username and password in order to compromise information related to the web application’s management. 3.2.11 WAFFLE over the existing WAFs All the above features are included in WAFFLE’s stable release and as it is still under development there are a lot more to come. But except those amazing features and the innovation behind them which make our web applications more secure but still vulnerable as there is no such thing as an uncompromisable system, WAFFLE has still more advantages than other existing solutions. To begin with, WAFFLE is a script which contains 274 lines of code and it is by far the simplest, but definitely powerful, open source web application firewall. It also has a 42-line configuration file which turns on and off the features provided and sets some variables like the file names, the DDoS protection values and the user agent names. Secondly, WAFFLE is the web application firewall with the most simple installation procedure for both experienced and inexperienced users. In my research, I have encountered many open source web application firewalls and the strong majority of them was pretty difficult to install for me who I think I am an experienced user. For an inexperienced user, I think it is impossible to install them and use them properly on their web application. Furthermore, the very detailed configuration file makes WAFFLE pretty easy to configure for every kind of user.
  46. 46. WAFFLE – A web application firewall that defies rules 46 3.2.12 The shortest installation guide ever In order to install WAFFLE you need an Apache2 or PHP-FPM server or any other is preferable and upload the waffle.php file and the config.ini file in a directory of your preference. Then you open the php.ini file of your web application and search for the auto_prepend_file value which is empty by default. You replace the empty value with the directory the waffle.php file is and it is completely installed after you restart your server. You can find WAFFLE on GitHub by pressing on this link
  47. 47. WAFFLE – A web application firewall that defies rules 47 Conclusion With the use of virtual sanitizing, there is a revolution on the way we handle user input validation because of the legitimacy of the output as long as for the successful protection against injection attacks. Furthermore, while it was impossible to neutralize DOM-based XSS attacks from the server side, virtual sanitizing managed to cope with it and make room for this innovative mode of operation in modern web application firewalls. WAFFLE is just an example of what a web application firewall is capable of and I think people got it pretty wrong stating that web application firewall is an old technology that cannot really help us anymore against cyber attacks. But if there is one thing that is definitely true is that such practices actually cannot render a system a hundred percent safe though our web applications are getting harder to compromise. Another point made clear in this thesis is that the use of a ruleset of regular expressions in order to deal with the most known attacks is obsolete and we as cyber security researchers need to always find more innovative means to fight against threats, especially in the World Wide Web. We need to evolve as attackers do if we want to win against the cyber war that is already commenced and simultaneously provide the best quality of service to the Internet users.
  48. 48. WAFFLE – A web application firewall that defies rules 48 References [1] Web Application Firewalls – SANS technology Institute [2] OWASP [3] Web Application Security – Wikipedia, the free Encyclopedia [4] SQL Injection – OWASP [5] Practical Identification of SQL Injection Vulnerabilities - US-CERT [6] Command Injection – OWASP [7] Commix: Detecting and exploiting command injection flaws Exploiting-Command-Injection-Flaws-wp.pdf
  49. 49. WAFFLE – A web application firewall that defies rules 49 [8] Cross-Site Scripting Attacks Pose Ongoing Threat [9] What is Cross-site Scripting and How Can You Fix it? - Acunetix [10] Understanding LFI and RFI Attacks [11] How Null Byte Injections Work: A History of Our Namesake « Null Byte 0130141/ [12] Protect Against Brute-force/Proxy Login Attacks | Perishable Press [13] Tor: What Lies Beneath the Onion's Skin - Security Intelligence [14] ModSecurity: Open Source Web Application Firewall [15] evading all web-application firewalls xss filters - Mazin Ahmed
  50. 50. WAFFLE – A web application firewall that defies rules 50 ilters.pdf [16] What is a DDoS Attack? - Digital Attack Map
  51. 51. WAFFLE – A web application firewall that defies rules 51 Appendix
  52. 52. WAFFLE – A web application firewall that defies rules 52 [1] waffle.php 1. <?php 2. $config = parse_ini_file( "config.ini", true ) or die( 'Config.ini Parse Fail' ); 3. define( 'CACHE_DIR', $config['main']['cache_dir'] ); 4. session_start(); 5. $allowed_methods = array_map( 'trim', explode( ',', $config['input']['allowed_methods'] ) ); 6. $proxies_headers = ( $config['proxies']['proxies_protection'] ) ? array_map( 'trim', explode( ',', $config['proxies']['proxies_headers'] ) ) : array(); 7. $user_ip = $_SERVER['REMOTE_ADDR']; 8. $query_string = urldecode( $_SERVER['QUERY_STRING'] ); 9. if ( $config['resources']['cpu_loadavg_protect'] ) 10. { 11. if ( get_server_load() >= $config['resources']['cpu_loadavg_limit'] ) 12. { 13. echo $config['resources']['message_exit']; 14. exit; 15. } 16. } 17. if ( $config['ddos']['protect_ddos'] ) 18. { 19. $user_file = CACHE_DIR . $user_ip; 20. if ( file_exists( $user_file ) ) 21. { 22. $flood_row = json_decode( file_get_contents( $user_file ), true ); 23. if ( $flood_row['banned'] ) 24. { 25. shell_exec( "sudo /sbin/iptables -A INPUT -s $user_ip -j DROP" ); 26. exit; 27. } 28. if ( time() - $flood_row['last_request'] <= $config['ddos']['frequency'] ) 29. { 30. ++$flood_row['requests']; 31. if ( $flood_row['requests'] >= $config['ddos']['requests_limit'] ) 32. { a. $flood_row['banned'] = true;
  53. 53. WAFFLE – A web application firewall that defies rules 53 33. } 34. $flood_row['last_request'] = time(); 35. file_put_contents( $user_file, json_encode( $flood_row ), LOCK_EX ); 36. } 37. else 38. { 39. $flood_row['requests'] = 0; 40. $flood_row['banned'] = false; 41. $flood_row['last_request'] = time(); 42. file_put_contents( $user_file, json_encode( $flood_row ), LOCK_EX ); 43. } 44. } 45. else 46. file_put_contents( $user_file, json_encode( array( 47. 'banned' => false, 48. 'requests' => 0, 49. 'last_request' => time() ) ), LOCK_EX ); 50. } 51. if ( $config['user_agents']['user_agent_protection'] ) 52. { 53. if ( $config['user_agents']['block_empty_ua'] && empty( $_SERVER['HTTP_USER_AGENT'] ) ) 54. attack_found( "EMPTY USER AGENT" ); 55. if ( preg_match( "/^(" . $config['user_agents']['user_agents'] . ").*/i", $_SERVER['HTTP_USER_AGENT'], $matched ) ) 56. attack_found( "BAD USER AGENT({$_SERVER['HTTP_USER_AGENT']})" ); 57. } 58. if ( $config['proxies']['tor_protection'] && is_writeable( CACHE_DIR ) ) 59. { 60. if ( !file_exists( CACHE_DIR . 'tor_exit_nodes' ) || time() - filemtime( CACHE_DIR . 'tor_exit_nodes' ) >= 1800 ) 61. { 62. $source = file_get_contents( "" ); 63. if ( preg_match_all( "/ExitAddress (.*?)s/", $source, $matches ) ) 64. $ips = $matches[1]; 65. file_put_contents( CACHE_DIR . 'tor_exit_nodes', implode( "n", $ips ) ); 66. } 67. else 68. $ips = array_map( 'trim', file( CACHE_DIR . 'tor_exit_nodes' ) ); 69. if ( in_array( $user_ip, $ips ) ) 70. attack_found( "TOR FOUND ON $user_ip" ); 71. } 72. /* Proxy Access Prtoection */ 73. foreach ( $proxies_headers as $x )
  54. 54. WAFFLE – A web application firewall that defies rules 54 74. { 75. if ( !empty( $_SERVER[$x] ) ) 76. attack_found( "PROXIES NOT ALLOWED ($x is SET on $_SERVER)" ); 77. } 78. if ( strlen( $query_string ) >= $config['input']['query_string_max'] ) 79. attack_found( "MAX INPUT REACHED! (QUERY STRING: $query_string)" ); 80. /* Method Request */ 81. if ( !in_array( $_SERVER['REQUEST_METHOD'], $allowed_methods ) ) 82. attack_found( "METHOD ({$_SERVER['REQUEST_METHOD']}) NOT ALLOWED" ); 83. /* HTTPS Limitation */ 84. if ( $config['https']['use_only_https'] && $_SERVER['REQUEST_SCHEME'] != 'https' ) 85. { 86. if ( $config['https']['redirect'] ) 87. { 88. header( 'Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301 ); 89. exit; 90. } 91. attack_found( "NO HTTPS SCHEME FOUND" ); 92. } 93. /* Protect Files/Folders With Extra Password */ 94. if ( $config['protect_files']['enable_file_protection'] && !empty( $_SERVER['SCRIPT_NAME'] ) && stristr( $_SERVER['SCRIPT_NAME'], '/' ) ) 95. { 96. $auth = false; 97. if ( isset( $_SERVER['PHP_AUTH_USER'] ) ) 98. { 99. $username = @$_SERVER['PHP_AUTH_USER']; 100. $password = @$_SERVER['PHP_AUTH_PW']; 101. if ( $username == $config['protect_files']['username'] && $password == $config['protect_files']['password'] ) 102. { 103. $auth = true; 104. } 105. } 106. if ( !$auth ) 107. { 108. $files = explode( '/', $_SERVER['SCRIPT_NAME'] ); 109. foreach ( $files as $file ) 110. { 111. $file = pathinfo( $file )['filename']; 112. if ( preg_match( "/^b(" . $config['protect_files']['files'] . ")b/i", $file, $matched ) ) 113. {
  55. 55. WAFFLE – A web application firewall that defies rules 55 header( 'WWW-Authenticate: Basic realm="WAFFLE Protection"' ); header( 'HTTP/1.0 401 Unauthorized' ); exit; 114. } 115. } 116. } 117. } 118. if ( empty( $_COOKIE ) ) 119. $_COOKIE = array(); 120. if ( empty( $_SESSION ) ) 121. $_SESSION = array(); 122. $exclude_keys = array( 123. '__utmz', 124. '__utma', 125. '__cfduid', 126. '_ga' ); 127. $WAF_array = array( 128. '_GET' => &$_GET, 129. '_POST' => &$_POST, 130. '_REQUEST' => &$_REQUEST, 131. '_COOKIE' => &$_COOKIE, 132. '_SESSION' => &$_SESSION, 133. '_SERVER' => array( 'HTTP_USER_AGENT' => &$_SERVER['HTTP_USER_AGENT'], 'HTTP_REFERER' => &$_SERVER['HTTP_REFERER'] ), 134. 'HTTP_RAW_POST_DATA' => array( file_get_contents( 'php://input' ) ) ); 135. foreach ( $WAF_array as $key => $array ) 136. { 137. if ( count( $array ) > $config['input']['max_input_elements'] ) 138. attack_found( "MAX INPUT VARS ON $key ARRAY REACHED!" ); 139. foreach ( $array as $k => $v ) 140. { 141. if ( in_array( $k, $exclude_keys, true ) ) 142. { 143. continue; 144. } 145. if ( $config['input']['max_strlen_var'] != 0 && strlen( $v ) > $config['input']['max_strlen_var'] ) 146. attack_found( "MAX INPUT ON VAR REACHED!" ); 147. if ( !IsBase64( $v ) ) 148. ${$key}[SanitizeNClean( $k )] = SanitizeNClean( $v ); 149. else 150. ${$key}[SanitizeNClean( $k )] = base64_encode( SanitizeNClean( base64_decode( $v ) ) ); 151. }
  56. 56. WAFFLE – A web application firewall that defies rules 56 152. } 153. /* 154. Get CPU Load Average on Linux/Windows 155. Warning: On Windows might take some time 156. */ 157. function get_server_load() 158. { 159. if ( stristr( PHP_OS, 'win' ) ) 160. { 161. $wmi = new COM( "Winmgmts://" ); 162. $server = $wmi->execquery( "SELECT LoadPercentage FROM Win32_Processor" ); 163. $cpu_num = 0; 164. $load_total = 0; 165. foreach ( $server as $cpu ) 166. { 167. $cpu_num++; 168. $load_total += $cpu->loadpercentage; 169. } 170. $load = round( $load_total / $cpu_num ); 171. } 172. else 173. { 174. $sys_load = sys_getloadavg(); 175. $load = $sys_load[0]; 176. } 177. return ( int )$load; 178. } 179. function attack_found( $match ) 180. { 181. file_put_contents( CACHE_DIR . 'attacks.txt', "[WARNING] Possible Threat Found ( => '" . str_replace( "n", "n", $match ) . "' <= ) @ " . date( "F j, Y, g:i a" ) . "n", FILE_APPEND ); 182. exit( 'Hacking Attempt Detected & Eliminated' ); 183. } 184. function SanitizeNClean( $string ) 185. { 186. return htmlentities( str_replace( array( 187. '(', 188. ')', 189. '=', 190. ',', 191. '|', 192. '$',
  57. 57. WAFFLE – A web application firewall that defies rules 57 193. '`', 194. '/', 195. '' ), array( 196. '(', 197. ')', 198. '=', 199. ',', 200. '|', 201. '$', 202. '`', 203. '/', 204. '\' ), urldecode( $string ) ), ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE, ini_get( "default_charset" ), false ); 205. } 206. function IsBase64( $string ) 207. { 208. $d = base64_decode( $string, true ); 209. return ( !empty( $d ) ) ? isAscii( $d ) : false; 210. } 211. function isAscii( $str ) 212. { 213. return preg_match( '/^([x00-x7F])*$/', $str ); 214. } [2] config.ini 1. [main] 2. cache_dir = /tmp/ ; It is recommended to add a RAM-DISK to it for better perfomance 3. ;applies also to dirs 4. [protect_files] 5. enable_file_protection = true 6. files = 'admin|administrator|manager|manage' 7. username = admin 8. password = waffle_protection 9. ;it can also apply for brute force protection 10. [ddos] 11. protect_ddos = false 12. requests_limit = 100 ; if user violates the Frequency X times in a row, he will get banned 13. frequency = 2 ; Define the allowed frequency limit in seconds / request 14. use_iptables = false ; It requires sudo to the Running User . Please See Documentation. Linux Only. Highly Recommended 15. [resources] 16. cpu_loadavg_protect = false
  58. 58. WAFFLE – A web application firewall that defies rules 58 17. cpu_loadavg_limit = 5 ;if load average >= X then we will force the application to exit without initializing other services (such as SQL) which can take more resources 18. message_exit = 'Server too busy. Please try again later.' 19. [proxies] 20. tor_protection = true 21. proxies_protection = false 22. proxies_headers = HTTP_VIA, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_CLIENT_IP, HTTP_FORWARDED_FOR_IP, VIA, X_FORWARDED_FOR, FORWARDED_FOR, X_FORWARDED, FORWARDED, CLIENT_IP, FORWARDED_FOR_IP, HTTP_PROXY_CONNECTION 23. [https] 24. use_only_https = false 25. redirect = false 26. [input] 27. query_string_max = 255 28. max_input_elements = 30 29. max_strlen_var = 0 30. allowed_methods = GET, POST, PUT, HEAD 31. [user_agents] 32. user_agent_protection = false 33. block_empty_ua = true 34. user_agents = 'curl|wget|winhttp|HTTrack|clshttp|loader|email|harvest|extract|grab|miner|libww w-perl|acunetix|sqlmap|python|nikto|scan|commix'