WAF: Securing Applications at the Edge

These days, brick-and-mortar or television-based bank robberies and heists seem old-fashioned no matter how well planned or executed. What the new “money” criminals are after is personal data. And the “banks” being attacked are the growing number of web applications.

Studies show that web application attacks have become the single most significant cause of data breaches. According to NTT’s 2020 Global Threat Intelligence Report (GTIR), more than half (55%) of all attacks in 2019 were a mix of web application and application-specific attacks, up from 32% the year before.

As organizations move away from VPNs, virtual machines and centralized management systems to distributing and even running applications at the edge, conventional perimeter-based security like network firewalls isn’t enough.

The best defense is a firewall that can mitigate application-layer attacks.

Web Application Firewall (WAF)

A WAF helps protect web applications from application-layer attacks like cross-site scripting, SQL injection attacks, remote file inclusion and cookie poisoning, among others. Not having the right WAF in place makes it easier for attackers to compromise systems and steal valuable data.

Sadly, British Airways discovered this in 2018. A data breach affected 380,000 bookings between August and September 2018. Hackers exploited a cross-site scripting vulnerability using a malicious JavaScript library. The purpose behind the attack was to steal customers’ credit card data.

The method used was simple: When a user submitted their booking form, the JavaScript file recorded the user’s information and sent it to the attackers’ server, “baways.com.” The attackers even bought an SSL certificate to make baways.com appear trustworthy. As a result, hundreds of thousands of customers had their credit card information stolen.

Or take the case of SQL injection attacks on large websites leading to serious data breaches. SQL injection attacks exploit web forms that require users to submit data based on user input. If the web application does not sanitize these requests, an attacker can inject SQL statements via form fields and modify, delete or copy the contents of the database.

Another form of SQL injection attacks is modifying cookies to poison database queries. Web applications use cookies as part of their database operations. Malware deployed on a user’s device could modify cookies to inject malicious SQL code into the database.

Here are two examples of real-life SQL injection attacks:

• Hackers from the GhostShell APT (Advanced Persistent Threats) group targeted 53 universities worldwide using SQL injection attacks and stole 36,000 personal records of students, staff and faculty.

• Hackers used SQL injection to breach the defenses of the 7-Eleven retail chain, stealing over 100 million credit card numbers.

Deploying a WAF could have prevented these unfortunate incidents.

So, How Does a WAF Work?

A WAF inspects every HTTP and HTTPS request, detecting and blocking malicious traffic before it hits the web application and preventing unauthorized data from leaving the app. It acts as a reverse proxy and protects the web application by adhering to policies that specify what traffic is safe and what is malicious.

Enterprises and CDN providers deploy WAFs as software, an appliance or a service, as the first line of defense for their web applications, especially against the OWASP Top 10, the 10 most critical application security vulnerabilities. The OWASP Top 10 list of vulnerabilities include SQL injection attacks, broken authentication, and cross-site scripting (XSS).

While edge computing provides the low latency that real-time and near-real-time applications need, companies need assurance that their web applications are protected. To start, intelligent WAFs block threats at the network edge while allowing legitimate traffic to provide this assurance, with key features like adaptive rate controls, which help protect applications against application-layer DDoS attacks by controlling the rate of incoming requests.

They also use application-layer controls — predefined WAF rules accept or reject HTTP traffic — and network-layer controls — IP whitelists and blacklists stop DDoS attacks at the network edge by allowing or denying requests based on IP address or geo-location.

Next, real-time event visibility provides the ability to analyze attack alerts to learn what’s being attacked, by whom and what in the requests triggered the WAF defenses.

A modern WAF solution helps organizations secure web applications with minimal configuration without consuming DevOps resources.

This solution has five key features:

• A two-tier architecture: A centralized WAF intelligence cluster analyzes traffic from all requests in all WAF locations to determine whether to block or allow new traffic.
• Device-level fingerprinting: Fingerprinting technology distinguishes individual devices and IP addresses to more closely study suspicious traffic and reduce false positives.
• Built-in policies: Robust WAF policies address OWASP Top 10 vulnerabilities, CSRF attack, and bot protection, among others.
• A customized rules engine: A rules editor creates edge rules that enforce policies like rate limiting, blocking and allowing IP addresses.
• Layer-7 DDoS attack mitigation: Finally, overlapping layers of rules mitigate application-layer DDoS attacks while allowing good traffic through.

With enterprises expecting secure access to fast-growing web applications and content at the edge, software developers and security experts struggle to keep up with the emergence of sophisticated web threats. Web application firewalls provide the best defense for these edge applications and their data.