Brian A. McHenry, profile picture
Uploaded byBrian A. McHenry
PPTX, PDF790 views

Death of WAF - GoSec '15

The document describes how traditional web application firewalls (WAFs) work by checking requests against rules for things like RFC compliance, URL and parameter validation, length limits, and attack signatures. However, the document argues this approach will become outdated as applications evolve and new attacks emerge. A new approach is needed for WAFs to stay relevant and enhance application security.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 50 times
The Death ofWeb App Firewall Brian A. McHenry Sr. Security Solutions Architect, F5 @bamchenry ( as we know it )
Agenda • Brief primer on traditional WAF approach • Why this approach will (and should) die • HowWAF can stay relevant and enhance your AppSec practice • Why a new approach is valuable
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1rn Host: foo.comrnrn Connection: keep-alivernrn User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarnrn Accept-Encoding: gzip,deflate,sdchrnrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rnrn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rnrn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226rn
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /login.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /logout.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does aWAF work?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
That sounds really good, but…
Who Owns theWAF? NetworkTeam App DevTeamSecurityTeam
Not Us!
My kingdom for aWAF admin! WAFAdministrator
With Great Power… • Each web application is a snowflake! • Application deploys can be too frequent forWAF policy tweaks to keep up. • In DevOps environments, continuous delivery enables rapid vuln fixes in code. WAFAdministrator
What’s left forWAF?
What’s left forWAF? • Focus on non-snowflake problems • Extend and enrich web applications where possible • Behavioral analysis
WAF-based Bot Detection • WAF injects a JS challenge with obfuscated cookie • Legitimate browsers resend the request with cookie • WAF checks and validates the cookie • Requests with valid signed cookie are then passed through to the server • Invalidated requests are dropped or terminated • Cookie expiration and client IP address are enforced – no replay attacks • Prevented attacks will be reported and logged w/o detected attack 1st time request to web server Internet Web Application Legitimate browser verification No challenge response from bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server 1 JS challenge placed in browser 2  WAF verifies response authenticity  Cookie is signed, time stamped and finger printed 4 Valid requests are passed to the server 5 Browser responds to challenge & resends request 3 Continuous invalid bot attempts are blocked Valid browser requests bypass challenge w/ future requests
Headers! • HTTP Headers can force browser to take more secure actions • Application agnostic • Examples: • HTTP StrictTransport Security • HTTP Public Key Pinning • Content Security Policy • X-Frame-Options OR
Protocol Compliance Checks • HTTP Protocol compliance, of course. • Mitigates attacks like SlowLoris, and other timing attacks. • But also,TLS protocol and cipher enforcement • Centralized control of allowed ciphers and protocols • Protection from vulnerabilities like Heartbleed, FREAK, LogJam, Poodle • TCP handshake enforcement • Full proxyWAF should be able to detect idleTCP sessions, reducing load on web app servers
Behavioral Analysis & Fingerprinting • Detect GET flood attacks against Heavy URI’s • Identify non-human surfing patterns • Fingerprinting to identify beyond IP address • Track fingerprinted sessions • Assign risk scores to sessions • Identify known malicious browser extensions • https://PanOpticlick.eff.org for a primer on the topic
Fingerprinting Example
What’s a Heavy URI? • Any URI inducing greater server load upon request • Requests that take a long time to complete • Requests that yield large response sizes
© F5 Networks, Inc 30CONFIDENTIAL • Attackers are proficient at network reconnaissance • They obtain a list of site URIs • Sort by time-to-complete (CPU cost) • Sort list by megabytes (Bandwidth) • Spiders (bots) available to automate • Though they are often known by the security community • Can be executed with a simple wget script, or OWASP HTTP Post tool Tools and Methods of L7 DoS Attacks
Exploiting POST for Fun & DoS •Determine: • URL’s accepting POST • Max size for POST •Bypass CDN protections (POST isn’t cache-able) •Fingerprint both TCP & app at the origin Attackers work to identify weaknesses in application infrastructure Network Reconnaissance Example
© F5 Networks, Inc 32CONFIDENTIAL • Drag through existing relevantWAF features • Understand your risk factors and have the proper tools • WAF placement can enhance other aspects of the App Long Live theWeb App Firewall
ThankYOU! Contact me: @bamchenry bam@f5.com http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/

More Related Content

PDF
wolfSSL and TLS 1.3
bywolfSSL
 
PPTX
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
PPT
Sniffing SSL Traffic
bydkaya
 
PDF
wolfSSL TLS 1.3 Support in 2018
bywolfSSL
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
byNGINX, Inc.
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
byNGINX, Inc.
 
PDF
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
byNGINX, Inc.
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
wolfSSL and TLS 1.3
bywolfSSL
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
byBlueHat Security Conference
 
Sniffing SSL Traffic
bydkaya
 
wolfSSL TLS 1.3 Support in 2018
bywolfSSL
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
byNGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
byNGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
byNGINX, Inc.
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 

What's hot

PDF
TLS/SSL Protocol Design
byNate Lawson
 
PDF
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
byOpenDNS
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started - EMEA
byNGINX, Inc.
 
PDF
DANE and Application Uses of DNSSEC
byShumon Huque
 
PDF
Assume Compromise
byZach Grace
 
PDF
Securing Data in Transit -
bywolfSSL
 
PDF
Webinar SSL English
bySSL247®
 
PDF
Cryptography
bySri Manakula Vinayagar Engineering College
 
PPTX
Detecting Malicious SSL Certificates Using Bro
byAndrew Beard
 
PDF
Extending Zeek for ICS Defense
byJames Dickenson
 
PDF
Ssl attacks
byn|u - The Open Security Community
 
PDF
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
bynullowaspmumbai
 
PDF
Строим ханипот и выявляем DDoS-атаки
byPositive Hack Days
 
PDF
Seven Grades of Perfect Forward Secrecy
byOleg Gryb
 
PPTX
SSL/TLS 101
byChul-Woong Yang
 
PPTX
FastNetMon Advanced DDoS detection tool
byPavel Odintsov
 
PPTX
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
byBlueHat Security Conference
 
PPT
Introduction to Secure Sockets Layer
byNascenia IT
 
TLS/SSL Protocol Design
byNate Lawson
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
byOpenDNS
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
byNGINX, Inc.
 
DANE and Application Uses of DNSSEC
byShumon Huque
 
Assume Compromise
byZach Grace
 
Securing Data in Transit -
bywolfSSL
 
Webinar SSL English
bySSL247®
 
Cryptography
bySri Manakula Vinayagar Engineering College
 
Detecting Malicious SSL Certificates Using Bro
byAndrew Beard
 
Extending Zeek for ICS Defense
byJames Dickenson
 
Ssl attacks
byn|u - The Open Security Community
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
bynullowaspmumbai
 
Строим ханипот и выявляем DDoS-атаки
byPositive Hack Days
 
Seven Grades of Perfect Forward Secrecy
byOleg Gryb
 
SSL/TLS 101
byChul-Woong Yang
 
FastNetMon Advanced DDoS detection tool
byPavel Odintsov
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
byBlueHat Security Conference
 
Introduction to Secure Sockets Layer
byNascenia IT
 

Viewers also liked

PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PPTX
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
bydrewz lin
 
PDF
Exploiting Llinux Environment
byEnrico Scapin
 
PDF
Appsec usa2013 js_libinsecurity_stefanodipaola
bydrewz lin
 
PDF
Take a REST!
byVladimir Tsukur
 
DOCX
Mission Statement
byscarletthayward
 
PDF
Sách Osho Thiền - Tự Do Đầu Tiên Và Cuối Cùng
byNhân Nguyễn Sỹ
 
PPTX
Presentation - Leo
byLeo Dias, CHRP
 
PPTX
Роль регламентуючих документів у профілактиці поширення нелегальних наркотикі...
byInternational Charitable Foundation “AIDS Foundation East-West” (AFEW-Ukraine)
 
PDF
Extremis products presentation 2017
byExtremis
 
PDF
Sempurna buku program mssr 2014
byyusmie
 
PDF
Taking the Fear out of WAF
byBrian A. McHenry
 
DOCX
Vijay Amarnath - Updated
byVijay Amarnath
 
PDF
SMi Group's 4th annual Immunogenicity 2017 conference
byDale Butler
 
PDF
SMi Group's MilSatCom USA 2017
byDale Butler
 
PPTX
Textual analysis
byjvillacci
 
PDF
Packet analysis (Basic)
byAmmar WK
 
PDF
Configuration F5 BIG IP ASM v12
bySassan Saharkhiz_ CRISC
 
PDF
Lessons Learned When Automating
byAlan Richardson
 
PPTX
Fundamentals of Linux Privilege Escalation
bynullthreat
 
Invited Talk - Cyber Security and Open Source
byhack33
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
bydrewz lin
 
Exploiting Llinux Environment
byEnrico Scapin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
bydrewz lin
 
Take a REST!
byVladimir Tsukur
 
Mission Statement
byscarletthayward
 
Sách Osho Thiền - Tự Do Đầu Tiên Và Cuối Cùng
byNhân Nguyễn Sỹ
 
Presentation - Leo
byLeo Dias, CHRP
 
Роль регламентуючих документів у профілактиці поширення нелегальних наркотикі...
byInternational Charitable Foundation “AIDS Foundation East-West” (AFEW-Ukraine)
 
Extremis products presentation 2017
byExtremis
 
Sempurna buku program mssr 2014
byyusmie
 
Taking the Fear out of WAF
byBrian A. McHenry
 
Vijay Amarnath - Updated
byVijay Amarnath
 
SMi Group's 4th annual Immunogenicity 2017 conference
byDale Butler
 
SMi Group's MilSatCom USA 2017
byDale Butler
 
Textual analysis
byjvillacci
 
Packet analysis (Basic)
byAmmar WK
 
Configuration F5 BIG IP ASM v12
bySassan Saharkhiz_ CRISC
 
Lessons Learned When Automating
byAlan Richardson
 
Fundamentals of Linux Privilege Escalation
bynullthreat
 

Similar to Death of WAF - GoSec '15

PDF
Death of Web App Firewall
byBrian A. McHenry
 
PDF
WAF protections and bypass resources
byAntonio Costa aka Cooler_
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
Making the Most of HTTP In Your Apps
byBen Ramsey
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PDF
Обход файрволов веб-приложений
byPositive Hack Days
 
PPTX
Basic security and Barracuda VRS
byAravindan A
 
PDF
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 
PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
ODP
Web Scraping with PHP
byMatthew Turland
 
PPT
Presentation (PPT)
bywebhostingguy
 
PPT
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
byNeil Matatall
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PPTX
01. http basics v27
byEoin Keary
 
PDF
Introduction to Web Application Security - Blackhoodie US 2018
byNiranjanaa Ragupathy
 
PDF
Web services tutorial
byLorna Mitchell
 
PDF
Don't screw it up! How to build durable API
byAlessandro Cinelli (cirpo)
 
PDF
When RSS Fails: Web Scraping with HTTP
byMatthew Turland
 
RTF
W3af
byvjbala
 
Death of Web App Firewall
byBrian A. McHenry
 
WAF protections and bypass resources
byAntonio Costa aka Cooler_
 
Waf bypassing Techniques
byAvinash Thapa
 
Making the Most of HTTP In Your Apps
byBen Ramsey
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
Обход файрволов веб-приложений
byPositive Hack Days
 
Basic security and Barracuda VRS
byAravindan A
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
Web Scraping with PHP
byMatthew Turland
 
Presentation (PPT)
bywebhostingguy
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
byNeil Matatall
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
01. http basics v27
byEoin Keary
 
Introduction to Web Application Security - Blackhoodie US 2018
byNiranjanaa Ragupathy
 
Web services tutorial
byLorna Mitchell
 
Don't screw it up! How to build durable API
byAlessandro Cinelli (cirpo)
 
When RSS Fails: Web Scraping with HTTP
byMatthew Turland
 
W3af
byvjbala
 

Recently uploaded

PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Lab 1.3 Introduction to GCP Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Lab 1.3 Introduction to GCP Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
API-First Architecture in Financial Systems
bycyy111112
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
How to Evaluate a High Performance Database
byScyllaDB
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 

Death of WAF - GoSec '15

  • 1.
    The Death ofWebApp Firewall Brian A. McHenry Sr. Security Solutions Architect, F5 @bamchenry ( as we know it )
  • 2.
    Agenda • Brief primeron traditional WAF approach • Why this approach will (and should) die • HowWAF can stay relevant and enhance your AppSec practice • Why a new approach is valuable
  • 3.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 4.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1rn Host: foo.comrnrn Connection: keep-alivernrn User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarnrn Accept-Encoding: gzip,deflate,sdchrnrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rnrn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rnrn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226rn
  • 5.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 6.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 7.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 8.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 9.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 10.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 11.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 12.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /login.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 13.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /logout.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 14.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 15.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 16.
    How does aWAFwork?Start by checking RFC compliance1 Then check for various length limits in the HTTP 2 Then we can enforce valid types for the application 3 Then we can enforce a list of valid URLs 4 Then we can check for a list of valid parameters 5 Then for each parameter we will check for max value length 6 Then scan each parameter, the URI, the headers with attack signatures 7 GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.comrn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9r Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
  • 17.
    That sounds reallygood, but…
  • 18.
    Who Owns theWAF? NetworkTeamApp DevTeamSecurityTeam
  • 19.
  • 20.
    My kingdom foraWAF admin! WAFAdministrator
  • 21.
    With Great Power… •Each web application is a snowflake! • Application deploys can be too frequent forWAF policy tweaks to keep up. • In DevOps environments, continuous delivery enables rapid vuln fixes in code. WAFAdministrator
  • 22.
  • 23.
    What’s left forWAF? •Focus on non-snowflake problems • Extend and enrich web applications where possible • Behavioral analysis
  • 24.
    WAF-based Bot Detection •WAF injects a JS challenge with obfuscated cookie • Legitimate browsers resend the request with cookie • WAF checks and validates the cookie • Requests with valid signed cookie are then passed through to the server • Invalidated requests are dropped or terminated • Cookie expiration and client IP address are enforced – no replay attacks • Prevented attacks will be reported and logged w/o detected attack 1st time request to web server Internet Web Application Legitimate browser verification No challenge response from bots BOTS ARE DROPPED WAF responds with injected JS challenge. Request is not passed to server 1 JS challenge placed in browser 2  WAF verifies response authenticity  Cookie is signed, time stamped and finger printed 4 Valid requests are passed to the server 5 Browser responds to challenge & resends request 3 Continuous invalid bot attempts are blocked Valid browser requests bypass challenge w/ future requests
  • 25.
    Headers! • HTTP Headerscan force browser to take more secure actions • Application agnostic • Examples: • HTTP StrictTransport Security • HTTP Public Key Pinning • Content Security Policy • X-Frame-Options OR
  • 26.
    Protocol Compliance Checks •HTTP Protocol compliance, of course. • Mitigates attacks like SlowLoris, and other timing attacks. • But also,TLS protocol and cipher enforcement • Centralized control of allowed ciphers and protocols • Protection from vulnerabilities like Heartbleed, FREAK, LogJam, Poodle • TCP handshake enforcement • Full proxyWAF should be able to detect idleTCP sessions, reducing load on web app servers
  • 27.
    Behavioral Analysis &Fingerprinting • Detect GET flood attacks against Heavy URI’s • Identify non-human surfing patterns • Fingerprinting to identify beyond IP address • Track fingerprinted sessions • Assign risk scores to sessions • Identify known malicious browser extensions • https://PanOpticlick.eff.org for a primer on the topic
  • 28.
  • 29.
    What’s a HeavyURI? • Any URI inducing greater server load upon request • Requests that take a long time to complete • Requests that yield large response sizes
  • 30.
    © F5 Networks,Inc 30CONFIDENTIAL • Attackers are proficient at network reconnaissance • They obtain a list of site URIs • Sort by time-to-complete (CPU cost) • Sort list by megabytes (Bandwidth) • Spiders (bots) available to automate • Though they are often known by the security community • Can be executed with a simple wget script, or OWASP HTTP Post tool Tools and Methods of L7 DoS Attacks
  • 31.
    Exploiting POST forFun & DoS •Determine: • URL’s accepting POST • Max size for POST •Bypass CDN protections (POST isn’t cache-able) •Fingerprint both TCP & app at the origin Attackers work to identify weaknesses in application infrastructure Network Reconnaissance Example
  • 32.
    © F5 Networks,Inc 32CONFIDENTIAL • Drag through existing relevantWAF features • Understand your risk factors and have the proper tools • WAF placement can enhance other aspects of the App Long Live theWeb App Firewall
  • 33.

Editor's Notes

  • #4 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #5 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #6 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #7 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #8 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #9 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #10 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #11 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #12 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #13 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #14 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #15 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #16 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #17 This is a high level overview… I thought we could highlight each area in the request when explaining what we do… Start by checking RFC compliance – for example, that there is a method like GET/POST in the beginning of the message, or that every line ends with \r\n , or that the protocol version is valid (HTTP/1.1), that there is HOST header, that the straucture of the header is good (every header has a value). Then we check for various Length limits on the HTTP message, for example, the full HTTP message length , or the URI length (/search.php) or the query string length (name=Mc’donalds&admin=1), we count the number of headers, we check for cookie max size and header max size Then we can enforce valid types for the application, for example, only php, jpeg, doc and pdf. Then we can enforce a list of valid URLs (/search.php) Then we can check for a list of valid parameters (name and admin) Then for each parameter we will check for max value length (data and 1 in this case) valid metacharacters in the value for each paramater (in this example the ‘ metacharacter needs to be allowed in the name parameter. We could also scan the Then before we serve the request to the web server, we will scan each parameter , the URI, the headers with attack signatures
  • #19 Network team doesn’t have intimate knowledge of the application, and lacks the confidence to make policy tweaks for fear of false positive. Security team often lacks the necessary personnel to support the full-time task of tweak WAF policy for every application change. App dev team lacks the network skills for managing the appliance aside from the WAF policy.
  • #20 Network team doesn’t have intimate knowledge of the application, and lacks the confidence to make policy tweaks for fear of false positive. Security team often lacks the necessary personnel to support the full-time task of tweak WAF policy for every application change. App dev team lacks the network skills for managing the appliance aside from the WAF policy.
  • #21 Network team doesn’t have intimate knowledge of the application, and lacks the confidence to make policy tweaks for fear of false positive. Security team often lacks the necessary personnel to support the full-time task of tweak WAF policy for every application change. App dev team lacks the network skills for managing the appliance aside from the WAF policy.
  • #25 Java code resends request
  • #29 Chrome Machine 1 IE Machine 1 Chrome Machine 2 logged into same account Chrome ios logged in to same acocunt
  • #31  Remember the 2012 attacks against the US banks? Well, attackers have become even more sophisticated in their network reconnaissance. Not only that, while the sophistication has sharply increased, the tools and coordination required to do this type of profiling have become well-automated and easily accessible. These types of activities are no longer the domain of the Fully Targeted, state-sponsored attacker. The so-called script kiddies and Hacktivists have latched onto these tools, and these types of attacks are in the arsenal of the low-level Opportunistic attacker. This is a new mitigation method intended to protect heavy URLs from DoS attacks. Heavy URLs are a small number of site URLs that might consume considerable server resources per request. This type of DoS attack is different from the existing URL mitigation because it takes only a low rate of requests to heavy URLs in order to cause DoS attacks. In addition to configuring heavy URLs, you can view latency information about web application URLs on the new URL Latencies screen (navigate to Security > Reporting > DoS > Application > URL Latencies).
  • #32 A CDN exceeds at delivering cached content from global datacenters. Attackers know that unless they can force resource consumption at the origin server[DWH3] they will be unlikely to succeed in their attack. Typically a CDN will not process HTTP POST methods – these will be forwarded to the origin servers of the targets. In fact, in the DDoS Playbook mentioned above, the number one step in the pre-attack recipe is “Check whether a site accepts POST method…in the Web form”. Once a URL that accepts POSTs has been found, the attackers will test it to see how much data it will accept (say, 9999 bytes) before the POST is rejected. When they find the boundary, they know exactly how much data they can send during the real attack per connection. The vulnerability of the POST method goes further. Because it acts as a “hole” in the CDN, the attackers know that they can use POST to determine the nature of the origin devices, including: the TCP established state timeout value the TCP first PSH/ACK timeout value the TCP continuous ACK timeout value the TCP first FIN_WAIT1 timeout value the TCP last ACK timeout value In this example, the attackers are performing network reconnaissance for layer 4 threat surfaces by using a layer 7 attack vector!
  • #33 Protocol Compliance, broad spectrum signatures BOT/Heavy URL/Brute Force/Scraping TLS and TCP