Balancing WAF Configurations: Countermeasures and Signatures
Tyler Fullerton, Senior Sales Engineer
Web Application Firewalls (WAF) are an important addition to any company’s security posture and provide a policy enforcement point for protecting an online asset from vulnerabilities in the application stack. To do this, WAFs must have a deep understanding of the application to be protected and the ways to attack those applications. WAFs are extremely detail-oriented, and those details make for a complex solution. Modern applications consist of many different software components that often seek to be as flexible as possible, supporting many development styles and configurations, which in turn translates to many WAF configuration options. WAFs have approached configuration complexity in two ways: (1) simple, one-click configuration that hides the underlying complexity, and (2) complex configurations using many dials and knobs with a seemingly unlimited amount of customization. It is unlikely that a given application is going to match a WAF vendor’s simple configuration, making option 1 ineffectual and prone to false-positives and false-negatives. Furthermore, many companies do not have the staff or experience to take advantage of complex WAF configurations, causing option 2 to be out of reach.
UltraWAF takes a third approach: one that allows for simple configurations if desired, but also can make more complicated configurations possible using policy parameterization, relaxation rules and learning mode. This middle ground approach provides core countermeasures for broad classes of vulnerabilities such as SQLi, Cross-Site Scripting (XSS), and Buffer Overflow. It also supports more targeted protections through signatures for point vulnerabilities in a specific version of application software such as Log4j. Our strategy for UltraWAF is to employ both, with core countermeasures laying the foundation for broad protection while signatures get deployed for high-profile vulnerabilities such as Log4j.
Core countermeasures make up the foundation because signatures – and their associated Common Vulnerability & Exposures (CVE) - are just expressions of the core countermeasures. For example, CVE-2022-0817 is a vulnerability in the WordPress BadgeOS plug-in that allows for SQL Injection by unauthenticated users. The UltraWAF platform has 7 separate signatures for this vulnerability and its variations and if you took a CVE-centric approach to WAF configuration you would miss out on 0-day protection (the vulnerability has to be known and have a signature) and you need to be mindful to remove it once your WordPress software has been updated (all WAFs will experience a performance hit if you allow signatures to pile up in your configuration).
Alternatively, if you have a robust core countermeasure configuration in your policy you will have protection without having to apply specific signatures. To illustrate this, I applied the SQLi core countermeasure to a UltraWAF policy to automatically protect the WordPress BadgeOS plug-in from this vulnerability. The SQLi countermeasure configuration was straightforward: I put it in Block and Log mode and enabled SQL Injection Grammar:
With the SQL Injection countermeasure enabled and blocking, there is nothing further that must be done to protect against the vulnerability specified in CVE-2022-0817 or any other CVE – known or unknown – associated with SQL Injection. This can be tested by running the proof of concept code linked to in the NVD entry. I used a cURL command to exploit this vulnerability:
C:\> curl “https://waf.se.security.neustar/wp-admin/admin-ajax.php” --data “action=get-achievements&total_only=true&user_id=11 AND (SELECT 9628 FROM (SELECT(SLEEP(5)))WOrh)-- Kusb”
Here the request is made:
And in response to my cURL command, the request is detected as malicious and blocked by UltraWAF:
Even though the policy does not have the specific signatures for this vulnerability configured, it still gets properly blocked by the SQLi core countermeasure.
WAF configuration can be as simple as clicking a button or as complex as individually tuning an astonishing number of dials and knobs. Sometimes, as with UltraWAF, the configuration workload lies somewhere in the middle. This middle-ground approach employs the philosophy that you can apply a foundation of protection using core countermeasures for vulnerabilities such as SQLi and gain 0-day protection for certain classes of vulnerabilities. And with UltraWAF, you still have the ability to use signatures for specific CVEs as an extra layer of protection or in cases where you don’t have core countermeasures in place.