Challenge Your Cybersecurity Skills: Outsmart a WAF Attack
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
Luckily, there are many ways to evade Web Application Firewalls or WAFs. These firewalls filter web traffic based on rules that they have learned to recognize. Encoding your payload is one of the best ways to circumvent these filters. By encoding the payload using upper and lower-case characters, you can disguise your URLs and avoid being filtered by WAF rules. This technique can be used for the entire payload or a specific fragment.
Table Of Contents
Modern Web Application Firewalls are capable of learning the user behaviors of web applications. This means that if a user tries to access a website that is blocked, the firewall will not block the request and will present a blank page to the user instead of blocking it. The blank page is a typical default for WAF-protected applications, so it is recommended that you remove it before exposing the application to a non-testing audience.
Modern WAFs use artificial intelligence algorithms to understand traffic patterns. This helps them detect suspicious traffic and avoid blocking legitimate traffic. They also analyze the application structure and identify malicious requests. This allows WAF operators to define the security rules that are appropriate for web applications and prevent the blocking of legitimate traffic.
Using a simulation environment, modern web application firewalls are able to learn from user behavior and train themselves to protect the website. This allows them to detect potential security risks early on and to avoid costly rework. The virtual lab environment features a realistic application environment, attack scenarios, and defensive mechanisms. The exercises follow a challenge format, with hints available along the way. It also provides students with practical, hands-on experience. A Defending the Flag exercise can last for up to 4 hours.
Web application firewalls can be used to protect your web applications against many types of attacks. They protect your valuable data from denial-of-service attacks, SQL injection, cross-site scripting, and even cookie poisoning. They are often used in tandem with reverse proxies to protect multiple web applications. They can also run as a network appliance or as a plugin on your server.
Modern web application firewalls are capable of learning from user behavior and learning how to protect users from dangerous attacks. They can also detect malicious websites based on their signatures and block malicious traffic. These technologies are becoming more important as the threat landscape becomes more complex.
Besides being effective in protecting web applications, they also protect servers. They filter HTTP/S traffic in order to prevent any unauthorized data from leaving the web app. They do this by adhering to a set of policies to filter the data packets. A reverse proxy is used in conjunction with the firewall and protects the web app server.
The Cloud Armor WAF can be exploited, for example, by crafting an HTTP POST request with ‘test’ or ‘123’ in its body and sending it over the protected workload’s HTTPS endpoint. This attack can cause the server to consume CPU, memory, and disk space. To mitigate this effect, WAF controls must limit the amount of HTTP transactions they can process. This helps mitigate the effects of denial-of-service attacks while hardening the WAF for public Internet usage.
The Cloud Armor WAF evaluates rules in both the body and request headers. However, lower-priority rules may match the request header first and block the HTTP POST body. This can lead to a chain of attacks that can compromise a website. To avoid this problem, make sure to check official Google platforms for the latest information on security risks and how to mitigate them. You can also read up on information security risks and recommendations from the International Institute of Cyber Security.
The Cloud Armor WAF can be bypassed by crafting an HTTP POST request that exceeds the 8KB limit. However, the attacker must ensure that the endpoint’s HTTP POST capability supports HTTP POST requests in order to exploit the vulnerability.
Google Cloud Armor WAF has a field called fingerprint, which stores a hash of the contents of the policy. This field is ignored while creating a new policy, but a user can specify the current fingerprint when updating a policy.
The Cloud Armor WAF’s 8 KB size limit is similar to AWS’s, but the difference between the two is that Cloud Armor does not display this limit on its website. The user is not shown a prompt when configuring Cloud Armor rules, and the only reference to this limit is found in the Cloud Armor documentation.
This vulnerability is particularly prevalent in web applications that allow users to upload files over HTTP. Since most of these files are multipart/form data, the WAF engine does not spend CPU time inspecting them. Instead, the engine can spend its time processing requests and other data. This makes the WAF engine vulnerable to simple DoS attacks.
This vulnerability is also known to affect Google’s Cloud CDN and Cloud Storage buckets. The WAF’s denial action on new connections will result in the termination of the TCP connection. To mitigate the vulnerability, the WAF should only increase the body size of non-file upload requests. Despite this, the WAF’s capacity to handle request bodies larger than 8KB is limited.
The Cloud Armor WAF receives the request header before the body. During the processing phase, it evaluates rules against the header. However, it doesn’t match the preconfigured rules on the body. Therefore, custom request header actions will take effect only during the processing phase.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.