Explore Web Application Firewall Security
Learning Objectives
After completing this unit, you’ll be able to:
- Define web application firewall (WAF) security.
- Describe why WAFs are critical for organizations.
- Explain the types of risks WAFs prevent.
This module was produced in collaboration with Fortinet. Learn more about partner content on Trailhead.
Before You Start
If you completed Get Started with Application Security, then you already know how to protect networks and prevent network attacks. Now let’s talk about how to use a web application firewall (WAF) to defend your application perimeter from malicious traffic.
What Is WAF Security?
According to Cloudflare, a WAF creates a shield between a web application and the internet; this shield can help mitigate many common attacks. It helps protect web applications by filtering and monitoring Hypertext Transfer Protocol (HTTP) traffic between a web application and the internet.
Just as a tollbooth allows paying customers to drive across a toll road, and prevents nonpaying customers from accessing the roadway, network traffic must pass through a firewall, before it’s allowed to reach a server. WAFs use adaptable policies to defend against vulnerabilities in a web application, allowing for easy policy modification, and faster response to new attack vectors.
A WAF defends applications from malicious traffic. While other security solutions, such as traditional firewalls, mostly work based on ports and protocols, a WAF has to understand and examine the application layer traffic. A WAF typically protects web applications from attacks such as:
- Cross-site request forgery (CSRF): Also known as Sea Surf or Session Riding, this is an attack vector that tricks a web browser into executing unwanted actions in applications logged into by the user. This attack can result in unauthorized fund transfers, changed passwords, and data theft.
- Cross-site scripting (XSS): An attack that tricks a web browser into running malicious code. That malicious code can be inserted in several ways. Often, it is either added to the end of a Uniform Resource Locator (URL) or posted directly onto a page that displays user-generated content.
- File inclusion: An attack technique in which hackers trick a web application into running or exposing files on a server. If this occurs, sensitive information could be exposed and in some cases lead to XSS and other damaging attacks.
- Structured Query Language (SQL) injection: An attack that surfaces as a result of malicious code being plugged into an unsuspecting database. With this technique attackers can access information that was not intended to be seen by the public, such as private customer details or company data, which is highly detrimental toward a business’s interests.
- Distributed Denial of Service (DDoS): An attack that disrupts normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. It uses multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as Internet of Things (IoT) devices.
A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which application security engineers can implement policy modification, allowing for faster response to the above attack types.
In other words, a WAF is one of the tools responsible for securing business-critical web apps from the Open Web Application Security Project (OWASP) Top 10, zero-day threats, known or unknown application vulnerabilities, and an array of other web application layer attacks that can impact your organization.
As organizations undergo new digital initiatives, their attack surface may expand as they enable new business. As a result, they often find that new web applications and application programming interfaces (APIs) become exposed to dangerous traffic due to web server vulnerabilities, a server plugin, or other issues exploited by threats that aim to disrupt organizations. WAFs help to keep these applications and the content they access secure.
Why WAFs Are Critical for Organizations
Organizations increasingly use web application technologies as part of digital innovation (DI) efforts. As a result, organizations require a fundamental change in the way they conduct business using digital technology. DI means that you have more web applications touching more critical and sensitive data. Organizations that can protect their web applications can move faster, and can put new capabilities into the hands of their users more quickly, and more securely.
For organizations to successfully implement DI efforts, they need to do more than simply deploy technologies. They also need to focus on the needs of customers, and be willing to embrace rapid change, including rapid adoption and technology deployment options to meet the needs of customers.
Organizations can use public cloud and Software-as-a-Service (SaaS) solutions to accelerate their businesses, but they must protect them with strict security rules. As organizations rapidly adopt these technologies, the speed of business operations also increases, and web application security flaws arise, leaving web applications at risk from threats hiding in internet traffic.
As customers increasingly access business applications using unknown bring your own devices (BYOD) on networks that are not controlled with virtual private network (VPN) access, organizations should recognize the risks. Even network firewalls can be vulnerable. Traditional perimeter application security tools are not adequate for protecting internet-facing applications from OWASP Top 10 dangers and other application vulnerabilities found in network traffic.
Organizations need a new set of rules and tools to defend business-critical applications– WAF is a solution that protects these applications and data.
What Types of Threats Do WAFs Prevent?
Modern web applications require a comprehensive WAF to protect important applications against multiple types of web attacks and other threats lurking in network traffic.
The OWASP Top 10 “represents a broad consensus about the most critical application security threats to web applications.” Attackers often leverage these threats to target critical network appliances. The OWASP Top 10 includes:
| Top 10 Web Application Security Risks | Description |
|---|---|
| 1. Broken access control |
When user access and restrictions are not enforced, unauthorized users can potentially access confidential files. |
|
2. Cryptographic failures |
Since many web applications and APIs lack data security, attackers can exploit sensitive financial, healthcare, and personal information. |
| 3. Injection |
When untrusted data is sent to an interpreter, an attacker can inject malicious code. What’s more, when an application includes untrusted data without validation, cross-site scripting (XSS) flaws occur that can be used to perform attacks. |
| 4. Insecure Design |
Risks exist related to design flaws. These can be mitigated using threat modeling, secure design patterns and principles, and reference architectures. |
| 5. Security misconfiguration |
Many legacy Extensible Markup Language (XML) processors evaluate extremal entities, which can be leveraged to disclose internal files. What’s more, default or ad-hoc configurations can lead to security misconfigurations that lead to vulnerabilities. |
| 6. Vulnerable and outdated components |
Components often run with the same privileges as the application. If a vulnerability occurs, all components and applications can be compromised. |
| 7. Identification and authentication failures |
If authentication mechanisms are not implemented properly, attackers can expose these vulnerabilities |
| 8. Software and data integrity failures |
These failures can lead to remote code execution which can be used to perform attacks. |
| 9. Security logging and monitoring failures |
Logging and monitoring that does not integrate with an incident response technology creates insufficient protection processes. |
| 10. Server-Side Request Forgery (SSRF) |
Allows an attacker to induce the server-side application to make requests to an unintended location. This can result in unauthorized actions or access to data within an organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. |
However, taking the OWASP Top 10 into consideration is just the beginning. OWASP describes the Top 10 as a list of the most pervasive risks that organizations should consider. Modern WAF security must go further to address risks outside the scope of the OWASP Top 10, including the following.
| Risk | Description |
|---|---|
|
Bots |
Bots are programs that interact with your applications and often mimic human interaction. Good bots may be allowed to interact with an application, and include: search engines, virtual assistants, and content aggregators (for example., price comparison sites). Bad bot activity can include: web scraping, competitive data mining, personal and financial data harvesting, account takeover and transaction fraud. |
|
Malicious uploads |
Many web applications allow users to upload their own content, which can include a variety of malicious code payloads. |
|
Unknown vulnerabilities |
Signature-based solutions cannot protect against newly discovered vulnerabilities. A robust WAF solution must be able to defend against threats for which no signatures exist. |
|
Zero-day attacks |
Zero-day attacks target previously unknown flaws in an application. When a threat actor discovers a zero-day vulnerability, they can use it to exploit systems that do not have additional defensive measures in place, such as a WAF. |
|
Distributed Denial of Service (DDoS) |
In a DDoS attack, attackers use a large number of systems, often a botnet of compromised computers, to overwhelm an application so that it cannot respond to legitimate user requests. Using DDoS attacks, attackers can attempt to simply overwhelm the system with traffic or may attempt to exploit a flaw in the application logic to achieve the same result. |
Sum It Up
In this unit, you’ve learned about WAF security, and why WAFs are critical for organizations. You’ve also learned about the types of risks that WAFs minimize. Now let’s turn to discuss how WAFs deliver API protection.