APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Secure your APIs with WAF in AWS Kuldeep Pisda, Backend Developer at Goldcast

1. How to secure API
endpoints with WAF?
Kuldeep Pisda, Backend-cum-SRE Goldcast Inc

2. Prerequisite
The application should be deployed on AWS routed with proper Application Load Balancers, API Gateway, AWS
AppSync or CloudFront.

3. Common
Exploits

4. SQL Injection
SQL injection is a code injection technique that might destroy or leak your database.

5. user_id = request.body.POST.get(‘user’);
sql_to_execute = "SELECT * FROM Users WHERE id = " + user_id;

6. SELECT * FROM Users WHERE id = 105 OR 1=1;

7. Resolution: Always prepare your
SQL Queries before executing
them.

8. LFI Attacks
Local File Inclusion attacks are used by attackers to trick a web application into running or exposing files on a web
server. If the attack is successful, it will expose sensitive information, and in severe cases, can lead to XSS and remote
code execution.

10. Resolution: Configure server
correctly, set proper permissions
for www-data users and don’t
allow ../ based file access.

11. RCE
RCE vulnerabilities allow an attacker to execute arbitrary code on a remote device. An attacker can achieve RCE in a few
different ways, including, Injection Attacks, Deserialization Attacks, Out-of-Bounds Write.
Example: Log4j, ETERNALBLUE

12. Resolution: Input Sanitization,
Secure Memory Management,
Access Control.

13. How does WAF
help?

14. WAF
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect
availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by
enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.

16. Rules
● Rate Based Rules
● Regular Rules
○ Origin
○ Request Components
■ Header
■ Query Param
■ URI Path
■ Body
■ Method
WAF Rules & Actions
Actions
Allow
Block
Count
Captcha

17. What WAF does
not protect us
from?

18. It does protect us from the known
vulnerabilities but it can’t help us
with the broken business logics.

19. WAF should not be the only
means of defence.

20. Thanking You