Death of WAF - GoSec '15

The Death of Web App Firewall

Brian A. McHenrySr. Security Solutions Architect, F5

@bamchenry

( as we know it )

Agenda

• Brief primer on traditional WAF approach• Why this approach will (and should) die• How WAF can stay relevant and enhance your AppSec

practice• Why a new approach is valuable

How does a WAF work?Start by checking RFC compliance 1

Then check for various length limits in the HTTP 2

Then we can enforce valid types for the application3

Then we can enforce a list of valid URLs4

Then we can check for a list of valid parameters5

Then for each parameter we will check for max value length

6

Then scan each parameter, the URI, the headers with attack signatures

7

GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226







6


7

GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\nHost: foo.com\r\n\r\nConnection: keep-alive\r\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\Referer: http://172.29.44.44/search.php?q=data\r\n\r\nAccept-Encoding: gzip,deflate,sdch\r\n\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n







6


7








6


7








6


7








6


7








6


7

GET /search.asp?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226







6


7

GET /search.do ?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226







6


7








6


7

GET /login.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226







6


7

GET /logout.php?name=Acme’s&admin=1 HTTP/1.1Host: foo.com\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\rReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226







6


7








6


7








6


7


That sounds really good, but…

Who Owns the WAF?

Network Team App Dev TeamSecurity Team

Not Us!

My kingdom for a WAF admin!

WAF Administrator

With Great Power…

• Each web application is a snowflake!• Application deploys can be too frequent for WAF

policy tweaks to keep up.• In DevOps environments, continuous delivery

enables rapid vuln fixes in code.

WAF Administrator

What’s left for WAF?

What’s left for WAF?

• Focus on non-snowflake problems• Extend and enrich web applications where possible• Behavioral analysis

WAF-based Bot Detection

• WAF injects a JS challenge with obfuscated cookie

• Legitimate browsers resend the request with cookie

• WAF checks and validates the cookie • Requests with valid signed cookie are then

passed through to the server • Invalidated requests are dropped or terminated • Cookie expiration and client IP address are

enforced – no replay attacks• Prevented attacks will be reported and logged

w/o detected attack

1st time request to web server

Internet

Web Application

Legitimate browser verification

No challenge response from

botsBOTS ARE DROPPED

WAF responds with injected JS challenge. Request is not passed to server

1

JS challenge placed in browser

2

WAF verifies response authenticity

Cookie is signed, time stamped and finger printed

4Valid requests are passed to

the server

5

Browser responds to challenge &

resends request

3

Continuous invalid bot attempts are

blocked

Valid browser requests bypass

challenge w/ future requests

Headers!

• HTTP Headers can force browser to take more secure actions• Application agnostic• Examples:

• HTTP Strict Transport Security• HTTP Public Key Pinning• Content Security Policy• X-Frame-Options

OR

Protocol Compliance Checks• HTTP Protocol compliance, of course.

• Mitigates attacks like SlowLoris, and other timing attacks.• But also, TLS protocol and cipher enforcement

• Centralized control of allowed ciphers and protocols• Protection from vulnerabilities like Heartbleed, FREAK, LogJam, Poodle

• TCP handshake enforcement• Full proxy WAF should be able to detect idle TCP sessions, reducing load on web

app servers

Behavioral Analysis & Fingerprinting• Detect GET flood attacks against Heavy URI’s• Identify non-human surfing patterns• Fingerprinting to identify beyond IP address

• Track fingerprinted sessions• Assign risk scores to sessions • Identify known malicious browser extensions

• https://PanOpticlick.eff.org for a primer on the topic

http://PanOpticlick.eff.org/

Fingerprinting Example

What’s a Heavy URI?• Any URI inducing greater server load upon request• Requests that take a long time to complete• Requests that yield large response sizes

index/

© F5 Networks, Inc 30CONFIDENTIAL

• Attackers are proficient at network reconnaissance• They obtain a list of site URIs• Sort by time-to-complete (CPU cost)• Sort list by megabytes (Bandwidth)

• Spiders (bots) available to automate• Though they are often known by the security

community• Can be executed with a simple wget script,

or OWASP HTTP Post tool

Tools and Methods of L7 DoS Attacks

Exploiting POST for Fun & DoS

•Determine:

• URL’s accepting POST

• Max size for POST

•Bypass CDN protections (POST isn’t cache-able)

•Fingerprint both TCP & app at the origin

Attackers work to identify weaknesses in application

infrastructure

Network Reconnaissance Example

© F5 Networks, Inc 32CONFIDENTIAL

• Drag through existing relevant WAF features• Understand your risk factors and have the proper tools• WAF placement can enhance other aspects of the App

Long Live the Web App Firewall

Thank YOU!

Contact me:@[email protected]

http://informationsecuritybuzz.com/the-death-of-waf-as-we-know-it/





Technology

Death of WAF - GoSec '15