Date post: | 20-Mar-2017 |
Category: |
Technology |
Upload: | brian-a-mchenry |
View: | 398 times |
Download: | 0 times |
The Death of Web App Firewall
Brian A. McHenrySr. Security Solutions Architect, F5
@bamchenry
( as we know it )
Agenda
• Brief primer on traditional WAF approach• Why this approach will (and should) die• How WAF can stay relevant and enhance your AppSec
practice• Why a new approach is valuable
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\nHost: foo.com\r\n\r\nConnection: keep-alive\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\Referer: http://172.29.44.44/search.php?q=data\r\n\r\nAccept-Encoding: gzip,deflate,sdch\r\n\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
How does a WAF work?Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application3
Then we can enforce a list of valid URLs4
Then we can check for a list of valid parameters5
Then for each parameter we will check for max value length
6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226
That sounds really good, but…
Who Owns the WAF?
Network Team App Dev TeamSecurity Team
Not Us!
My kingdom for a WAF admin!
WAF Administrator
With Great Power…
• Each web application is a snowflake!• Application deploys can be too frequent for WAF
policy tweaks to keep up.• In DevOps environments, continuous delivery
enables rapid vuln fixes in code.
WAF Administrator
What’s left for WAF?
What’s left for WAF?
• Focus on non-snowflake problems• Extend and enrich web applications where possible• Behavioral analysis
WAF-based Bot Detection
• WAF injects a JS challenge with obfuscated cookie
• Legitimate browsers resend the request with cookie
• WAF checks and validates the cookie • Requests with valid signed cookie are then
passed through to the server • Invalidated requests are dropped or terminated • Cookie expiration and client IP address are
enforced – no replay attacks• Prevented attacks will be reported and logged
w/o detected attack
1st time request to web server
Internet
Web Application
Legitimate browser verification
No challenge response from
botsBOTS ARE DROPPED
WAF responds with injected JS challenge. Request is not passed to server
1
JS challenge placed in browser
2
WAF verifies response authenticity
Cookie is signed, time stamped and finger printed
4Valid requests are passed to
the server
5
Browser responds to challenge &
resends request
3
Continuous invalid bot attempts are
blocked
Valid browser requests bypass
challenge w/ future requests
Headers!
• HTTP Headers can force browser to take more secure actions• Application agnostic• Examples:
• HTTP Strict Transport Security• HTTP Public Key Pinning• Content Security Policy• X-Frame-Options
OR
Protocol Compliance Checks• HTTP Protocol compliance, of course.
• Mitigates attacks like SlowLoris, and other timing attacks.• But also, TLS protocol and cipher enforcement
• Centralized control of allowed ciphers and protocols• Protection from vulnerabilities like Heartbleed, FREAK, LogJam, Poodle
• TCP handshake enforcement• Full proxy WAF should be able to detect idle TCP sessions, reducing load on web
app servers
Behavioral Analysis & Fingerprinting• Detect GET flood attacks against Heavy URI’s• Identify non-human surfing patterns• Fingerprinting to identify beyond IP address
• Track fingerprinted sessions• Assign risk scores to sessions • Identify known malicious browser extensions
• https://PanOpticlick.eff.org for a primer on the topic
Fingerprinting Example
What’s a Heavy URI?• Any URI inducing greater server load upon request• Requests that take a long time to complete• Requests that yield large response sizes
index/
© F5 Networks, Inc 30CONFIDENTIAL
• Attackers are proficient at network reconnaissance• They obtain a list of site URIs• Sort by time-to-complete (CPU cost)• Sort list by megabytes (Bandwidth)
• Spiders (bots) available to automate• Though they are often known by the security
community• Can be executed with a simple wget script,
or OWASP HTTP Post tool
Tools and Methods of L7 DoS Attacks
Exploiting POST for Fun & DoS
•Determine:
• URL’s accepting POST
• Max size for POST
•Bypass CDN protections (POST isn’t cache-able)
•Fingerprint both TCP & app at the origin
Attackers work to identify weaknesses in application
infrastructure
Network Reconnaissance Example
© F5 Networks, Inc 32CONFIDENTIAL
• Drag through existing relevant WAF features• Understand your risk factors and have the proper tools• WAF placement can enhance other aspects of the App
Long Live the Web App Firewall
Thank YOU!
Contact me:@[email protected]
http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/