Even an iron fortress around your organization won’t stop bad actors from trying to gain unauthorized access to sensitive information. After all, attackers have one golden rule: Where there’s a will, there’s a way.
The WAF market will be worth $23.21 billion by 2030, proving that the need for web application security is ever-growing. Yet, hackers will always try to find a way to sneak past even the most robust defenses with tactics like WAF bypass.
What is a WAF bypass?
A Web Application Firewall (WAF) bypass is a critical security vulnerability that occurs when an attacker circumvents the security measures provided by a WAF. It typically involves exploiting weaknesses in the web application that the WAF cannot manage.
Hackers use WAF bypass techniques for several reasons:
Gain unauthorized access to restricted areas of a web application.
Manipulating data or stealing sensitive information like personal details, credentials, and financial data.
Deploying malware and creating backdoors to compromise the application and its users.
WAF bypass is a critical concern as it directly undermines your organization's security measures and exposes you to severe security breaches, data leaks, and compromised systems.
How does a WAF bypass happen?
Attackers can use various techniques to exploit your WAFs' limitations or configuration flaws. Here are six common methods attackers use to bypass a WAF.
1.Encoding
Attackers use different encoding techniques to disguise malicious inputs. For example, URL or Base64 encoding can be used to hide XSS or SQL injection attacks. A WAF might not decode these inputs correctly, allowing the harmful data to slip through.
Example: Using %3Cscript%3Ealert(1)%3C%2Fscript%3E instead of <script>alert(1)</script> for XSS.
2. Obfuscation
Similar to encoding, obfuscation involves altering the appearance of malicious code to make it difficult for a WAF to recognize. Attackers can use complex code structures or mix legitimate code with malicious code to avoid detection.
Example: Writing JavaScript with unusual syntax or using eval() to execute code hidden within a string.
3. Protocol-based Attacks
Protocol-based attacks exploit vulnerabilities in communication protocols like HTTP and HTTPS. Attackers use lesser-known features to create seemingly normal requests that carry harmful payloads.
Example: In an HTTP Desync Attack, attackers send a request with conflicting headers like Content-Length and Transfer-Encoding, confusing the WAF and server on where the request ends.
4. Parameter Tampering
This method involves changing the parameters exchanged between the user and the server (URL parameters, cookies, or HTTP headers) to exploit the applications.
Example: Changing a cookie value from user=normal to user=admin to gain elevated access.
5.IP-based Attacks
Attackers can spoof their IP address or use an address from trusted IP ranges to bypass IP-based blocking rules set by the WAF.
Example: Manipulating DNS records to redirect traffic from a legitimate IP to a malicious one, making the attacker's IP appear to belong to a trusted network.
6. File Upload Attacks
If the WAF is not properly configured to filter uploaded files, attackers can upload malicious scripts through files. Attackers can then execute these files on the server to perform malicious actions.
Example: Uploading image.jpg.php file to execute the .php part on the server, ignoring the image file format.
5 Dangers of a WAF Bypass
A WAF bypass can cause critical web application security issues, some of which are highlighted in the OWASP Top 10 list. Here are a few key issues that could happen due to a WAF bypass.
Broken Access Control: Attackers can exploit insufficient access controls, gaining unauthorized access to functionalities and data that should be restricted.
Injection Attacks: Attackers can execute injection attacks, such as SQL injection, which can lead to data loss, corruption, or unauthorized access.
Security Misconfiguration: WAF bypass can exploit security misconfigurations like unnecessary features, default accounts, or verbose error messages.
Server-Side Request Forgery (SSRF): WAF bypass allows attackers to exploit SSRF vulnerabilities, forcing the server to execute unintended actions like sending malicious requests to internal services.
Sensitive Data Exposure: Without a WAF to filter out and block attempts to access sensitive data, attackers can easily find and exploit weak points in the application to access financial records, personal information, or any data meant to be protected from public access.
7 Ways to Plug Your WAF Loopholes
Let’s look at seven effective strategies to enhance the security of your WAF and prevent bypasses.
WAFs, like any other software, can have vulnerabilities. Regularly updating and patching your WAF ensures these security gaps are addressed promptly, improving your defenses against evolving bypass techniques.
Actionable Tips:
Automate WAF updates to ensure your system runs the latest software version. For example, you can set up a cron job to automatically check for and apply WAF updates.
0 3 1 /usr/local/bin/check_for_waf_updates.sh
Integrate vulnerability scanning tools (like SpectralOps) that support automated scans and reports.
Use a patch management tool to track, download, and apply software patches for your WAF.
2. Implement Tight Access Controls
Robust access control ensures that only authorized users and systems can access specific network resources. It helps you minimize the risk of insider threats and reduce the damage radius even if your WAF is compromised.
Actionable Tips:
Use VLANs or firewalls to segregate network traffic based on departments, use cases or sensitivity levels. It enhances security by isolating critical network segments from one another. For example, you can configure a VLAN on a Cisco switch like below:
vlan 100
name Human_Resources
vlan 200
name Finance
exit
Implement role-based access management as part of your IT security policy.
{
"access_policy": {
"admin": {
"access_level": "full"
},
"user": {
"access_level": "restricted",
"permissions": ["read"]
}
}
}
Configure firewall rules to explicitly allow legitimate traffic and deny all other traffic by default. For example, the below rule set allows incoming traffic on port 443 (HTTPS) and rejects all other incoming traffic.
# Example firewall rule on an iptables-based system
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
3. Strengthen Input Validation
Input validation is a fundamental security technique used to ensure that only properly formatted data is allowed through processing and storage. It helps you to mitigate various security threats, including SQL injection, cross-site scripting (XSS), and command injection attacks.
Actionable Tips:
Enforce comprehensive validation rules on the server side that check for correct syntax and patterns. For example, you can validate an email input like the below before storing it in the database:
def validate_email(email):
import re
if not re.match(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$", email):
raise ValueError("Invalid email format")
Use inbuilt validation features in frameworks.
Apply regular expressions to block unusual inputs.
import re
def validate_username(username):
if not re.match(r'^[a-zA-Z0-9_.-]{5,20}$', username):
raise ValueError("Invalid username")
4. Use Advanced Detection Techniques
Advanced threat detection and response techniques like anomaly detection and machine learning can identify threats that do not match known patterns. This strategy is especially crucial for detecting zero-day exploits and other new attacks without defined signatures.
Actionable Tips:
Use WAF tools that apply machine learning to detect anomalies.
Configure alerts for unusual access patterns.
Integrate behavioral analysis tools that profile user behaviors and compare ongoing activities to the established profile.
5.Deploy Multi-Layered Security
Deploying multi-layered security involves setting up multiple layers of IT security controls. If one defense layer is bypassed, others will still provide protection, reducing the overall risk of a successful attack.
Actionable Tips:
Combine Intrusion Detection Systems (IDS) with WAFs to monitor and block suspicious activities.
Keep all security software up to date.
Set up an IDS to analyze network traffic for signs of intrusion. For example, the below IDS rule looks for patterns typical of SQL injection attacks on HTTP traffic and generates alerts.
# Example IDS rule to detect SQL injection
alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"select%20*%20from"; sid:1000001;)
6. Encrypt Sensitive Data
Encryption of sensitive data ensures that even if data is intercepted during transmission or accessed from storage, it cannot be understood without the corresponding decryption key. It is essential to maintain the confidentiality of sensitive information such as personal data, financial information, and business secrets.
Actionable Tips:
Implement Transport Layer Security (TLS) to secure all data transmitted over the network. The configuration below shows how to enable TLS e.g. on an Apache HTTP server.
SSLEngine on
SSLCertificateFile /path/to/your_cert.pem
SSLCertificateKeyFile /path/to/your_key.pem
Apply AES-256 encryption to stored data. The below example shows how to encrypt data using a cryptography library.
from cryptography.fernet import Fernet
key = Fernet.generate_key()
cipher_suite = Fernet(key)
encrypted_text = cipher_suite.encrypt(b"Sensitive data")
Implement application-level encryption to encrypt sensitive data immediately before it is saved to storage or sent over the network.
7. Use open-appsec
open-appsec is an open-source WAF and API security solution designed to provide preemptive protection against various threats, including the OWASP Top 10 and zero-day vulnerabilities.
Key features of open-appsec:
Behavior-based Analysis with Machine Learning: Unlike traditional WAFs that rely on signature-based detection, open-appsec utilizes machine learning to analyze HTTP traffic and detect and prevent malicious activities based on behavioral patterns.
Rate Limit/DDoS Protection: Implements rate limiting to control request volume, protecting against DDoS attacks by limiting the impact of excessive traffic.
API Security: Provides robust protection against unauthorized API access and abuse, securing APIs from various attack vectors.
Integration into Modern Environments: Supports seamless integration with e.g. NGINX, Ingress NGINX, Kong on modern infrastructure like Linux, Kubernetes, and Docker in the cloud as well as on prem.
Bot Prevention: Employs advanced techniques to differentiate between human and bot traffic, enhancing security by blocking automated threats and bot-related abuses.
___________________________________________________________________________________________
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
