Securing Web Applications with WAFs

Web applications have become the backbone of digital interaction for businesses, making them a prime target for cyber threats. Organizations today rely heavily on these applications for critical operations, from payment processing to customer engagement. However, the same accessibility and functionality that make web applications invaluable also expose them to a variety of attack vectors.

Web Application Firewalls play a pivotal role in protecting these applications. By analyzing inbound and outbound traffic, WAFs aim to detect and mitigate several forms of cyber threats, including:

• Exploitation attempts
• Hacking attempts
• Reconnaissance attempts
• Malicious adversaries
• Distributed Denial of Service (DDoS) attacks

From Veriti’s perspective, WAF solutions are indispensable tools for organizations. By preventing unauthorized access and filtering malicious requests, WAFs ensure the security and reliability of web applications. However, not all WAF implementations are equally effective, and understanding their strengths and shortcomings is essential for optimizing their deployment.

WAF Trends in the Cloud

As web applications continue to expand their presence in the cloud, the adoption of cloud-based WAFs has followed suit. These solutions provide organizations with scalable, cost-effective protection for their critical application assets. Veriti’s research highlights the increasing reliance on cloud WAF providers such as AWS, Imperva, Akamai, and Cloudflare, underscoring a significant trend towards cloud-first strategies for application security.

Veriti research shows substantial growth in cloud-based WAF deployments over the past 24 months. For instance:

• AWS CloudFront WAF: Usage has surged by over 87% in the past two years, demonstrating AWS’s growing dominance in securing web applications with integrated solutions. Its trend graph showcases a consistent upward trajectory in adoption.
• Imperva’s Incapsula: With an increase of over 62%, Imperva’s cloud WAF solution has shown robust growth, providing tailored protections for diverse customer needs.
• Cloudflare WAF: Known for its simplicity and integration with other services, Cloudflare WAF saw a steady increase in adoption by 17%, catering to both small businesses and large enterprises.

Despite the rapid adoption of cloud solutions, on-prem WAFs remain vital for organizations with hybrid infrastructure. For example:

From Veriti’s perspective, the shift towards cloud-based WAFs is driven by their ability to integrate seamlessly with modern cloud-native architectures while reducing management overhead. Key benefits include:

1. Scalability: Cloud WAFs automatically adjust to traffic spikes, a critical feature for dynamic application environments.
2. Ease of Deployment: With minimal setup requirements, cloud WAFs are easier to deploy compared to traditional on-prem systems.
3. Centralized Management: Unified control across multiple applications and regions simplifies operations for global organizations.

Analyzing the Gaps in WAF Effectiveness: Top Attacks Not Blocked

WAFs are designed to act as broad security barriers, Veriti’s research reveals significant gaps in their effectiveness. Over the past 24 months, a deep analysis of WAF logs uncovered critical attack types that bypassed these defenses due to configuration issues or limitations in detection algorithms.

Insights from Veriti Research:

The following table highlights the top security violations and their corresponding blocked and unblocked counts:

Key Observations

1. SQL Injection (98.8% Not Blocked): SQL injection remains one of the most pervasive vulnerabilities with an overwhelming number of successful bypasses, highlighting potential misconfigurations or lack of advanced query sanitization.
2. Directory Traversal (80.2% Not Blocked): Despite being a well-documented threat, directory traversal attacks often evade detection, risking exposure to sensitive files and directories.
3. PHP Remote File Includes (98.1% Not Blocked): This threat vector demonstrates the WAF’s challenges in recognizing dynamic file inclusion exploits, especially in complex application ecosystems.
4. Linux and Windows Execution Attempts: These platform specific attacks are evenly split between blocked and bypassed attempts, demonstrating inconsistencies in handling diverse execution attempts.
5. Cross-Site Scripting (XSS): XSS attacks, while frequently blocked, still see a significant 51.8% bypass rate, emphasizing the need for improved script validation mechanisms.

Balancing WAF Accuracy: False Positives and True Negatives

Web Application Firewalls are designed to be the first line of defense for web applications, but their effectiveness often hinges on their ability to strike the right balance between blocking actual threats and avoiding false alarms. Veriti’s research sheds light on how WAF misconfigurations can lead to two critical outcomes: false positives, which disrupt legitimate business processes, and true negatives, where real attacks bypass security measures.

False Positives: Business Impact Events

False positives occur when legitimate requests are incorrectly flagged as malicious, leading to unnecessary disruptions. Veriti’s analysis categorized the most impacted applications as follows:

1. Payment Platforms: Transactions are often interrupted due to overly aggressive filtering, causing delays in customer processing.
2. Sales Platforms: WAF misconfigurations can block API calls or customer interactions, impacting revenue generation.
3. Cloud Providers Used by the Organization: Legitimate communications between cloud-based services can be flagged, disrupting operational workflows.
4. Exposed Applications Not Accessible by End-Users: Internal applications or services required for backend operations are occasionally blocked, hindering efficiency.

True Negatives: Missed Real Attacks

True negatives represent cases where actual threats are not blocked due to gaps in WAF configuration or limitations in detection capabilities. Two significant examples include:

1. Reconnaissance Attempts: Attackers use probing techniques to identify vulnerabilities in applications, but some of these attempts go unnoticed.
2. Brute Force Attacks: High-volume, automated login attempts or password-guessing attacks often exploit weak defenses, evading detection.

From Veriti’s perspective, these incidents highlight the critical need for fine tuned WAF rules that distinguish between anomalous but legitimate activities and genuine threats.

Uncovering the Methods Behind Web Application Attacks

Veriti research brings to light the techniques and HTTP methods attackers leverage to infiltrate systems. Understanding these approaches is vital to fortifying defenses and tailoring WAF configurations.

The analysis reveals the following breakdown of HTTP methods used in attack patterns:

• GET: 85% of detected attack methods utilize GET requests, highlighting their prevalence in reconnaissance and data retrieval exploits.
• POST: Responsible for 7% of attack traffic, POST methods are frequently used to deliver malicious payloads or execute commands on target systems.
• OPTIONS: Accounting for 5%, this method is exploited to gather server configuration details, often used in reconnaissance.
• HEAD: With 3%, HEAD requests are leveraged to test server response capabilities without downloading full responses.

Our research identified critical vulnerabilities linked to specific HTTP methods. Notable examples include:

GET Method: A Closer Look

The GET method is the most common among HTTP request methods. While primarily used for legitimate data retrieval, attackers exploit GET for malicious purposes, leading to false positives or successful breaches. The top 5 attack techniques include:

1. HTTP Parser Attacks: Exploiting flaws in server request parsing, often through manipulated Host headers.
2. Forceful Browsing: Manipulating URLs to access unauthorized resources.
3. Server-Side Request Forgery (SSRF): Coercing servers into executing unauthorized requests.
4. Other Application Activity: Refers to anomalous, suspicious, or undefined application actions.
5. Non-browser Client: Any tool or software interacting with a web application outside standard browsers.

Among the top false positives identified in Veriti’s research are those related to HTTP Parser Attacks, which exploit flaws in how servers interpret HTTP requests. A prominent example is the misuse of the Host header, a critical field in HTTP requests that attackers often abuse.

HTTP Host header attacks target websites that handle the Host header value unsafely. If a server implicitly trusts this header without validating or escaping it, attackers can inject malicious payloads to manipulate server-side behavior. These payloads, often part of “Host header injection” attacks, allow adversaries to exploit application logic, bypass access controls, or redirect users to malicious sites.

Veriti’s analysis highlights that many false positives are linked to Host headers containing IP addresses. These requests, though flagged as suspicious, are often legitimate, originating from the organization itself while attempting to access its own applications. This misclassification emphasizes the need for smarter parsing logic and contextual analysis to distinguish between malicious and benign activity.

While some Host header anomalies are false positives, Veriti’s research also uncovered genuine threats leveraging this method. For example:

• CVE-2024-40725 and CVE-2024-40898: These vulnerabilities, affecting Apache HTTP Server versions 2.4.0 through 2.4.61, pose significant risks. They allow attackers to exploit Host header flaws, leading to source code disclosure and enabling Server-Side Request Forgery (SSRF) attacks.

PUT Method Risks

The PUT method, used to update or replace resources, also presents significant risks. As Veriti’s research highlights, improper handling of PUT requests often leads to false positives, disrupting legitimate operations. A common example we see in the field is the usage of OKTA: As described in OKTA – To update a user, use: PUT /Users/{userID}.

Enhancing WAF Effectiveness: Recommendations and Conclusions

The findings from Veriti’s research emphasize both the critical role of Web Application Firewalls in securing web applications and the significant challenges they face. By understanding these gaps and implementing targeted improvements, organizations can enhance their WAF effectiveness and minimize exposures.

Key Recommendations from Veriti:

1. Optimize WAF Rules and Configurations:
   • Regularly review and fine-tune WAF configurations to align with the latest threat intelligence and application needs.
   • Address common misconfigurations to reduce false positives and improve the accuracy of threat detection.
2. Leverage Behavioral Analytics:
   • Integrate machine learning and AI-based behavioral analysis tools to detect anomalous patterns and reduce reliance on static rules.
   • Focus on distinguishing between legitimate but unusual activity and genuine threats to minimize false positives.
3. Implement Real-Time Threat Intelligence:
   • Incorporate real-time feeds from global threat intelligence networks to proactively identify and block emerging attack vectors.
   • Use these insights to update WAF rules dynamically and ensure they remain effective against new exploits.
4. Conduct Continuous Exposure Assessments:
   • Go beyond WAF-specific testing by conducting continuous assessments of all security controls in the context of the environment. This ensures preemptive management of exposures.
   • Evaluate WAF and overall security effectiveness against high-profile CVEs and emerging threats to ensure comprehensive protection and preparedness.