Web Application Security

What is WAF? How Web Application Firewall Evasion Techniques Work?

By SecureLayer7 Lab

6 min read

waf

What is WAF?

A web application firewall is a specific kind of application firewall that applies explicitly to web applications. It is released before web applications and investigates Bi-directional web-based (HTTP) traffic – recognizing and impeding anything malevolent. The OWASP gives an expansive specialized definition to a WAF as “a security solution on the web application level which – from a technical perspective – doesn’t rely upon the actual application.”

WAFs Web Application Firewalls are not the utmost solution for security. Rather, they are intended to be utilized related to other organization edge security solutions, for example, intrusion prevention systems and network firewalls, to give an all-encompassing safeguard technique.

Ultimately, WAF Web Application Firewall is: 

  • It’s a firewall that monitors, filters, and blocks data packets as they travel to and from a web application.
  • It offers protection against large-scale vulnerabilities 
  • WAF is a crucial topic to secure a company’s web environment
  • It resides between a  web application and the network and operates at the application layer (HTTP, HTTPS), providing better content filtering capabilities than traditional firewall solutions.

Some Vendors:

Numerous business WAFs have the same features. However, significant differences frequently allude to UIs, organization choices, or prerequisites inside explicit conditions. Some of the remarkable vendors for WAFs include:

How WAF Web Application Firewall works & types

How do they work?

WAFs are released as software, and hardware device, both or through the cloud, and work with a particular arrangement of rules called policies. These arrangements or policies mention the WAF firewall what traffic/vulnerabilities/ loopholes are conducted to search for, what to do in case of vulnerability being recognized, etc. All in all, the policies are what empower WAF Web Application Firewall in securing web applications and servers from assaults. 

In this way, in view of these policies, the web application firewall will continue scanning the applications and the GET and POST requests it gets to recognize and channel malignant requests exercises. The significant thing to note is that WAFs dissect the headers as well as the content of packets, everything being equal, to obstruct illegal requests and astute WAF firewalls even test requests to cause the attacker to demonstrate they are human and not a bot. 

At the point when it discovers the loopholes in the actual application, the web application firewall promptly fixes them to consequently or automatically hinder hackers and malevolent attackers (bots, assault IP addresses, assault-based information sources, and so on) from discovering these loopholes. Along these lines, the developers get cushion time to fix the loophole or vulnerabilities within the application.

Generally, the firewall is configured on 3 basic security operation models:  

  • Whitelisting model: 

Here, the WAF Web Application Firewall is designed to permit just pre-approved traffic that meets explicit criteria that are configured. This model is most appropriate for use on the internal networks that are utilized exclusively by a restricted circle of clients (for example, the employees). This is on the grounds that whitelisting can hinder or obstruct genuine requests and traffic, too, when utilized on open sites and applications.

  • Blacklisting model

Here, the WAF Web Application Firewall is designed to obstruct known vulnerabilities, assault marks, and hackers from getting to the server or web application by utilizing pre-set marks or signatures. For example, if some IP addresses are sending a larger number of requests than usual, the blacklisting WAF secures the application against a DDoS attack. This security model is most appropriate for web applications are on the public web as genuine requests also can emerge out of new customer machines. This model, in any case, isn’t viable against zero-day assaults.

  • Hybrid model: 

Here, the WAF Web Application Firewall is designed to integrate whitelisting and blacklisting techniques dependent on the particular requirements of the application. It very well may be utilized on both public and internal networks.

Detection tools

Techniques to bypass WAF:

1. Case Toggling

  • Some poorly developed Web application firewall filter selectively specific case WAFs.
  • We can combine upper and lower case characters for developing efficient payloads.

Standard: <script>alert()</script>

Bypassed: <ScRipT>alert()</sCRipT>

2. URL Encoding

  • Encode normal payloads with % encoding/URL encoding.
  • Can be done with online tools like this.
  • Burp includes an in-built encoder/decoder.

Blocked: <svG/x=”>”/oNloaD=confirm()//

Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F

3. Unicode Encoding

  • Most modern web apps support UTF-8 and hence are prone to this method.
  • ASCII characters in Unicode encoding provide great variants for bypassing.
  • You can encode the entire/part of the payload to obtain results.

Standard: prompt()

Obfuscated: u0070ru06fu006dpt()

4. HTML Encoding

  • Often web apps encode special characters into HTML encoding and render accordingly.
  • This leads us to basic bypass cases with HTML encoding (numeric/generic).

Standard: “><img src=x onerror=confirm()>

Encoded: &quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; (General form)

Encoded: &#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62; (Numeric reference)

5. Mixed Encoding

  • WAF rules often tend to filter out a single type of encoding.
  • This type of filter can be bypassed by mixed encoding payloads.
  • Tabs and newlines further add to obfuscation.

Obfuscated:

<A href=”h

tt  p://6   6.000146.0×7.147/”>XSS</A>

6. Using Comments

  • Comments obfuscate standard payload vectors.
  • Different payloads have different ways of obfuscation.

Blocked: <script>alert()</script>

Bypassed: <!–><script>alert/**/()/**/</script>

Web application firewalls are best when they are managed and intelligent. Intelligent WAFs are invested with worldwide danger information bases and AI capacities which empower them to screen web traffic persistently and remember the learnings for securing web applications. When overseen, WAFs can zero guaranteed bogus positives and can be uniquely worked with careful precision to include custom business rules prohibiting the vulnerabilities of business logic. 

The managed WAF Web Application Firewalls will incorporate the aptitude of confirmed security experts who lead pen-testing and security audits to forestall zero-day dangers and upkeep the best web application security expectations. Managed WAF guarantees the learnings are exact and pertinent and zeroed in on relieving the danger explicit to the applications. It will have inherent learnings sponsored by 24×7 security specialists to make moves so application proprietors can zero in on deftness in their usefulness and securely utilize the specialists’ services.

Looking to strengthen your security posture? SecureLayer7 helps organizations identify vulnerabilities, reduce risk, and defend against evolving cyber threats. Contact our experts to get started.