Why you should not trust the cloud WAF?

Introduction & Objective

A web application firewall (WAF) or WAF appliance provides security by operating through an application or service thus blocking malicious calls, inputs, and outputs that do not meet the policy of a firewall. Today due to increasing cloud architecture, multiple cloud providers are giving their own managed WAF which is deeply integrated with their technologies such as load balancing, etc.

WAF can be distributed into three broad categories:

1. Host-based Web application firewalls
2. Network-based Web application firewalls
3. Cloud & hybrid Web application firewalls

The first category, Host-based web application firewalls (HWAF) is installed as the modules for a web server. It is a significantly cheaper solution compared to hardware-based WAFs, which are meant for small web applications. However, there is extensive resource utilization hence is results in performance problems.

The second category is Network-based web application firewalls (NWAF) which are traditionally hardware-based and provide latency reduction benefits due to the local installation. This means NWAF is installed close to the application server and is easy to access.

The next category, that has many differences from the first & the second one, is cloud-based WAFs, As the name says, these firewalls are based on the cloud. Cloud WAFs are very much similar to the regular WAF but it is being used to prevent attacks on the cloud environment.

Here we will be talking about cloud-based WAF.

Plus, cloud-based WAF technology is :

• Fast deployment
• Easy to set-up
• Pay-as-you-grow service
• Less complex to manage
• Ease of integration
• Scalable and elastic
• Better Monitoring
• Access logs for audit
• Analytics

By using cloud WAFs, clients need not make any software or hardware changes and tunings to their system, and can successfully protect their websites from threats, by applying custom rules and deciding on the aggressiveness of the protection.

Currently, there is something called a managed rule set which is provided and managed by cloud providers, called a managed rule set. Each cloud provider uses its custom config for running the cloud WAF rule engine. Hence result depends on different cloud providers.

Security Features of Cloud WAF:

• Protection against attacks that can be mapped to OWASP Top 10.
• Protection against Multi-layered application-based attacks.
• Geolocation Attack protection from Layer 7 DDOS, SQL injection, Cross-site scripting and Zero-day web application attack.
• Protection against HTTP(s) attacks.
• Bot based Attacks

Web Servers and WAF Placement

A cloud WAF can be deployed on the top of the CDN solution, Application Load Balancers, API Gateway. For example, the AWS WAF works with Amazon CloudFront, 4 our global content delivery network (CDN) service, and the Application Load Balancer option for Elastic Load Balancing.

WAFs can operate under different models, including the blacklisting approach (negative security), whitelisting approach (positive security), and hybrid approach.

• Blacklisting: This approach protects web applications from known attacks and specific rules. This can be used to prevent attacks from known payloads by using the rule-based approach. For example: To build a blacklist rule, use the string match condition and then block the request if it matches.

If HEADER, User-Agent CONTAINS Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0

This approach can be easily bypassed as attackers can always modify/spoof the payloads and it also doesn’t protect from any kind of zero-day attacks.

• Whitelisting: This approach also uses signatures but also applies logical decisions and permits traffic that meets specific rules/criteria. That means only the specified traffic matching the rule is allowed rest of the other kinds of traffic (legit or invalid) will be dropped. This approach needs constant modification and due to the constant rules/values provided by the cloud provided this is not considered as the healthy approach. For example- Whitelist of allowed domains for redirects (block requests if no listed value is matched).

QUERY_STRING URL_DECODE CONTAINS target=https://example.com.

• Hybrid: This is considered the best approach according to my knowledge as this uses both blacklisting and whitelisting approaches and allows legit traffic and blocks malicious traffic with minimum false positives.

Conclusion

There are multiple testing methodologies either Blackbox Penesting or Grey box Pentesting can be performed for any of the cloud provider’s WAF. Web application firewalls provide a smart response based on rules to all the potential threats which can impact the network.

The web services over the cloud are increasing hence the WAF provided and implemented by cloud providers needs to be tested. Also as a customer, each customer should be aware of the level of protection they are paying for. Blindly we cannot support any WAF without testing. Hence it becomes really important to understand the WAF bypass in a penetration test.
The solution must protect web applications at the HTTP/HTTPS layer. We will be learning about cloud WAF to detect/prevent OWASP Top Ten Threats.

Later in this series, we will be examining a practical approach to bypassing WAFs as a part of our penetration test, and of course, the theory behind working and mitigation in cloud WAFs.

Reference:

• https://www.cloudflare.com/en-in/learning/ddos/glossary/web-application-firewall-waf/
• https://avinetworks.com/what-is-a-web-application-firewall/
• https://www.radware.com/products/cloud-waf-service/#:~:text=Radware's%20Cloud%20WAF%20provides%20enterprise,evolving%20threats%20and%20protected%20assets.
• https://www.radware.com/getattachment/a7598bdf-f1d2-4e09-acbe-53fd60e315eb/26d695b1-b4a3-41d8-ab4e-01e705ea9638.pdf.aspx
• Other reference will be shared in later sections.