Introduction to WAF

Notes from the WAF Introduction room on TryHackMe.

https://tryhackme.com/room/wafintroduction

What is a WAF?

Web App Firewall is a security tool that safeguards websites against web-based threats by analysing HTTP requests, methods, POST bodies, and inbound and outbound traffic. It protects a web app from SQLi, XSS, command injection and other such threats.

Detecting a WAF

Detecting a WAF running on the target web app is half the battle won. A web app firewall can be detected manually or automatically on the target.

Manual

Here we can use curl to get the request from the target and analyse it's headers to check the WAF running. A few examples are below:

• server: cloudflare for Cloudflare

• X-Sucuri-ID for Sucuri

• X-CDN: Imperva for Incapsula/Imperva

• Akamai-Origin-Hop: 2 for Akamai

• X-F5-Application: ASM for F5 Advanced WAF

We can also check the WAF running on the target by looking at the response of the WAF to more invasive and malicious requests such as an SQLi or XSS payload.

For eg, here I triggered the WAF via an SQLi payload and I got a 403 forbidden.

Here is a table from the TryHackMe Room that provides a list of responses along with the possible interpretations.

Automated

We can directly run a tool instead of undergoing the hassle of checking everything manually. wafw00f is a popular tool. https://github.com/EnableSecurity/wafw00f

Using NMAP We can use Nmap's http-waf-fingerprint script. The usage is as follows

nmap -p [PORTS] --script http-waf-fingerprint [TARGET]

Types of Detection

Signature-based Detection

Detection here is rule-based. The incoming packets are analysed against a set of rules and are flagged as malicious if the patterns match. Any attack that has similar payloads as set in the rule will be blocked unless the attacker finds a way to evade the signature rules using the following:

• Encoding: Using URL encoding

• Case Variation: In SQLi the attacker can send a payload of UNION SELECT as uNiOn SelECT

• Comment insertion: The attacker would attempt to insert comments to evade triggering the rule.

• Alternative syntax: If the attacker can replace one syntax with another, such as 1' AND SLEEP(10)-- with 1' AND IF(1=1, SLEEP(10), 1) --, they might succeed in escaping detection.

The good things about signature-based detection are:

• Low risk of false-positives

• Faster detection

• Easy to update rules

• High performance

But with pros come the cons

• Can't detect any payload that's even slightly different than the signature rules.

• Not immune to encoded or obfuscated payloads

• zero-day attacks will not be flagged

• Need to be constantly updated

Behavioural Detection

Anomaly-based detection. Here the engine is trained on what is "normal". The engine is subject to normal traffic i.e normal HTTP requests and if anything deviates from the "normal" then it is flagged as malicious. For example: consider a GET parameter of a URL request as ?item_name=laptops&count=10 This is a normal request and the detection engine will let any such request pass through. But if there is any deviation, such as: ?item_name=' or 1=1-- Then it will be flagged as malicious because we can see here that special characters and spaces are used which obviously isn't normal behaviour.

The good things about engines deploying behavioural detection are:

• Adaptive

• Can tackle zero-day attacks

• Better immunity to encoded and obfuscated payloads

Cons:

• Higher risk of false positives

• Relatively expensive infrastructure requirements

• Requires training

Hybrid Detection

A balanced combination of both behavioural and signature based detection.