Web application firewall

Source: Wikipedia, the free encyclopedia.
This article is about a sub-type of an application firewall. For the article on application firewalls, see Application firewall. For the primary topic of firewalls, see Firewall (computing).

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.[1] Most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities,[citation needed] as well as hard to patch bugs or weaknesses through custom attack signature strings.[2]

History

See also: Application firewall

Dedicated web application firewalls entered the market in the late 1990s during a time when web server attacks were becoming more prevalent.

Early WAF products, from Kavado and Gilian technologies, were available, trying to solve the increasing amount of attacks on web applications in the late 90s.[

Open Web Application Security Project’s (OWASP) Top 10 List, an annual ranking for web security vulnerabilities. This list would become the industry standard for web application security compliance.[4][5]

Since then, the market has continued to grow and evolve, especially focusing on credit card fraud prevention. With the development of the Payment Card Industry Data Security Standard (PCI DSS), a standardization of control over cardholder data, security has become more regulated in this sector. According to CISO Magazine, the WAF market was expected to grow to $5.48 billion by 2022.[6][7]

Description

A web application firewall is a special type of application firewall that applies specifically to web applications. It is deployed in front of web applications and analyzes bi-directional web-based (HTTP) traffic - detecting and blocking anything malicious. The OWASP provides a broad technical definition for a WAF as “a security solution on the web application level which - from a technical point of view - does not depend on the application itself.”[8] According to the PCI DSS Information Supplement for requirement 6.6, a WAF is defined as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.”[9] In other words, a WAF can be a virtual or physical appliance that prevents vulnerabilities in web applications from being exploited by outside threats. These vulnerabilities may be because the application itself is a legacy type or it was insufficiently coded by design. The WAF addresses these code shortcomings by special configurations of rule-sets, also known as policies.

Previously unknown vulnerabilities can be discovered through penetration testing or via a vulnerability scanner. A

NIST 500-269 as “an automated program that examines web applications for potential security vulnerabilities. In addition to searching for web application-specific vulnerabilities, the tools also look for software coding errors.”[10]
Resolving vulnerabilities is commonly referred to as remediation. Corrections to the code can be made in the application but typically a more prompt response is necessary. In these situations, the application of a custom policy for a unique web application vulnerability to provide a temporary but immediate fix (known as a virtual patch) may be necessary.

WAFs are not an ultimate security solution, rather they are meant to be used in conjunction with other network perimeter security solutions such as network firewalls and intrusion prevention systems to provide a holistic defense strategy.

WAFs typically follow a positive security model, a negative security, or a combination of both as mentioned by the SANS Institute.[11] WAFs use a combination of rule-based logic, parsing, and signatures to detect and prevent attacks such as cross-site scripting and SQL injection. In general, features like browser emulation, obfuscation and virtualization as well as IP obfuscation are used to attempt to bypass WAFs.[12] The OWASP produces a list of the top ten web application security flaws. All commercial WAF offerings cover these ten flaws at a minimum. There are non-commercial options as well. As mentioned earlier, the well-known open source WAF engine called ModSecurity is one of these options. A WAF engine alone is insufficient to provide adequate protection, therefore OWASP along with Trustwave's Spiderlabs help organize and maintain a Core-Rule Set via GitHub[13] to use with the ModSecurity WAF engine.[14]

Deployment options

Although the names for operating mode may differ, WAFs are basically deployed inline in three different ways. According to NSS Labs, deployment options are

transparent bridge, transparent reverse proxy, and reverse proxy.[15]
'Transparent' refers to the fact that the HTTP traffic is sent straight to the web application, therefore the WAF is transparent between the client and server. This is in contrast to reverse proxy, where the WAF acts as a proxy and the client’s traffic is sent directly to the WAF. The WAF then separately sends filtered traffic to web applications. This can provide additional benefits such as IP masking but may introduce disadvantages such as performance latencies.

JA3 fingerprint

JA3, developed by Salesforce and later open-sourced,[16] is a technique for generating a unique fingerprint for SSL/TLS traffic based on specific fields in the handshake, such as the version, cipher suites, and extensions used by the client. This fingerprint enables the identification and tracking of clients based on the characteristics of their encrypted traffic. In the context of Distributed Denial of Service (DDoS) protection, JA3 fingerprints are used to detect and differentiate malicious traffic, often associated with attack bots, from legitimate traffic, allowing for more precise filtering of potential threats. [17] In September 2023, AWS WAF announced built-in support for JA3, enabling customers to inspect the JA3 fingerprints of incoming requests. [18]

See also

References

  1. ^ "Web Application Firewall". TechTarget. Retrieved 10 April 2018.
  2. ^ Sense Defence Web Security https://resources.sensedefence.com/revolutionising-web-security-with-comprehensive-web-application-protection-platform-cwapp
  3. ^ "ModSecurity homepage". ModSecurity.
  4. ^ DuPaul, Neil (25 April 2012). "What is OWASP? Guide to the OWASP Application Security Top 10". Veracode. Retrieved 10 April 2018.
  5. ^ Svartman, Daniel (12 March 2018). "The OWASP Top Ten and Today's Threat Landscape". ITProPortol. Retrieved 10 April 2018.
  6. ^ Harsh (2021-12-26). "Web Application Firewall (WAF) Market CAGR of 19.2% 2021". Firewall Authority. Retrieved 2021-12-26.
  7. ^ "Web Application Firewall Market Worth $5.48 Billion by 2022". CISO Magazine. 5 October 2017. Archived from the original on 11 April 2018. Retrieved 10 April 2018.
  8. ^ Maximillan Dermann; Mirko Dziadzka; Boris Hemkemeier; Alexander Meisel; Matthias Rohr; Thomas Schreiber (July 7, 2008). "OWASP Best Practices: Use of Web Application Firewalls ver. 1.0.5". OWASP.
  9. ^ PCI Data Security Standards Council (October 2008). "Information Supplement: Application Reviews and Web Application Firewalls Clarified ver. 1.2" (PDF). PCI DSS.
  10. ^ Paul E. Black; Elizabeth Fong; Vadim Okun; Romain Gaucher (January 2008). "NIST Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0" (PDF). SAMATE NIST.
  11. ^ Jason Pubal (March 13, 2015). "Web Application Firewalls - Enterprise Techniques" (PDF). SANS Institute. SANS Institute InfoSec Reading Room.
  12. ^ IPM (July 29, 2022). "Reverse Engineering how WAFs Like Cloudflare Identify Bots". IPM Corporation.
  13. ^ "Core-Rule Set Project Repository". GitHub. 30 September 2022.
  14. ^ "OWASP ModSecurity Core Rule Set Project". OWASP.
  15. ^ "TEST METHODOLOGY Web Application Firewall 6.2". NSS Labs. Archived from the original on 2022-09-05. Retrieved 2018-05-03.
  16. ^ "JA3 - A method for profiling SSL/TLS Clients". GitHub.
  17. ISBN 9781801818667
    .
  18. ^ "AWS WAF now supports JA3 Fingerprint Match".
Retrieved from "https://en.wikipedia.org/w/index.php?title=Web_application_firewall&oldid=1276626872"