Web Application Firewall or simply WAF as it is known is a software that works between the HTTP/S server and client, filtering client inputs and web server outputs, always following security policies and rules. Thanks to this set of rules, it is possible to detect attacks and block them.
What are the Benefits of having WAF in your application?
A WAF can provide critical protection for any online company that securely handles private customer data. Companies usually implement a WAF to protect their web applications from attacks such as:
- Automated attacks like Brute Force;
- Distributed Denial of Service (DDoS) attacks;
- Discovery of the real Application IP;
- Command injection, such as SQLi (SQL Injection) and XSS (Cross Site Script);
- Command Execution attacks, such as RCE (Remote Code Execution), SSTI (Server Side Template Injection), PP (Prototype Pollution), SSRF (Server Side Request Forgery), Arbitrary File Upload, and others.
Why is having only a WAF in the application is not enough?
After seeing all the benefits that a WAF provides, we will now see why it is not sufficient against any attack coming from attackers, and that, of all the listed advantages, each one can be bypassed:
Automated and Denial of Service Attacks
During a Brute Force attack, multiple requests are sent to a specific endpoint. If the application has a WAF, the Firewall can block the attacker. For this type of attack, the WAF usually blocks only one source IP address, and that is why it is possible to bypass the WAF if this attack is distributed, such as IP rotation, it will not be possible to block it.
Discovery of the Real Application IP
One of the main functions of the WAF is to hide the real IP of the Application Host so that an attacker cannot enumerate other services, bypass WAF protections, and perform other attacks directly on the Host. Even with a WAF, it is still possible to discover the Host address in various different ways, such as storing Internet history in various dedicated software, OSINT, leakage of internal/real IP, SSRF, RCE, reconnaissance process, and others.
Injection and Command Execution Attacks
The use of WAF is an excellent and essential addition to the security layers in the application, especially against Injection and Command Execution attacks like XSS and SQLI. However, it is important to remember that these security measures can be bypassed with various different techniques that are constantly evolving. As we can see in the image below, different WAF services frequently publish CVEs, demonstrating the need to always update and be aware of vulnerabilities.
In conclusion, considering the mentioned points, the use of WAF is just one of the security layers in the application, whose objective is to make cyber attacks difficult. Therefore, it is important to emphasize that relying solely on WAF is not sufficient, and it is necessary to keep the application protected against possible vulnerabilities.