Tag Archive for: WAF

How to Simplify WAF Rule Management

/in


As long as web application firewalls (WAFs) have existed, security teams have struggled with tuning and maintaining WAF signatures and rulesets. It is thankless, neverending work, and even in the best cases, prone to frequent false positives and false negatives. Yet even though it is one of the most long-standing complaints of legacy WAFs, it is a problem that never seems to go away.

So why has the industry been stuck fighting the same problem for so long? Is it something that can be fixed, or is the pain of rule management the unavoidable “death and taxes” of AppSec? At ThreatX, we are focused on finally making this problem go away by providing a platform that makes security much stronger while getting security teams off the rule management treadmill.

So let’s take a look below the surface to see why legacy rules are so problematic and what we can do about it.

A Common Problem Based on Common DNA

Legacy WAFs tend to suffer from the same problems when it comes to rules because they all fundamentally work the same way. In fact, many of the most popular commercial WAFs rely on the same underlying rules defined by ModSecurity. ModSecurity is a well-known open-source WAF, and its Core Rule Set (CRS) contains more than 17,000 regular expression-based rules. Each WAF vendor may customize and tune these modsec rules to their liking, but under the hood, they are virtually identical.

This has led to an entire industry of WAFs where the core detection engines are all based on regex matching rules. And in most cases, WAFs require a LOT of these rules. And while rules and signatures are not inherently bad, a regex-centered view of the world can certainly lead to a wide range of challenges including …

False Positives and Negatives

Regex rules look for specific string matches that match to a known threat. For example, this might be a pattern of a SQL injection such as the user entering a UNION and SELECT statement for usernames and passwords that reside in an application’s database. And while regex rules can look for these statements, every use of “union” and “select” isn’t necessarily a sign of evil. For example, I’ve recently talked to a prospect whose legacy WAF had…

Source…

Unpatched Remote Hacking Flaw Disclosed in Fortinet’s FortiWeb WAF

/in


Fortinet FortiWeb WAF

Details have emerged about a new unpatched security vulnerability in Fortinet’s web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.

“An OS command injection vulnerability in FortiWeb’s management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,” cybersecurity firm Rapid7 said in an advisory published Tuesday. “This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120.”

Stack Overflow Teams

Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.

The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.

“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,” Rapid7’s Tod Beardsley said. “They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.”

Rapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as CVE-2020-29015. In the interim, users are advised to block access to the FortiWeb device’s management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.

Prevent Ransomware Attacks

Although there is no evidence that the new security issue has been exploited in the wild, it’s worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.

Earlier this April, the Federal Bureau of Investigation (FBI) and the…

Source…

Benefits of Building a Multi-prong Mousetrap for WAF Policies with ML

/in


The reason behind buying a market-leading Web Application Firewall (WAF) is to protect your website and web applications from malicious attacks, plus complying with industry or regional data and privacy standards. In addition to the typical OWASP Top 10 vulnerabilities, WAFs need to address a litany of cyber-threats from simple attacks like SQL injection to more sophisticated Advanced Bot Attacks. With the average cost of a data breach nearing 4 million dollars and the average time to identify and contain a breach nearing 280 days, enterprise security teams have an uphill battle to fight as the number and complexity of breaches grow. Fortunately, many security vendors are leveraging technologies – from automation and analytics to AI and crowdsourcing – in order to replace traditionally resource-intensive processes, for faster response times and for newer threat models. At Imperva, we recognized the growing threats of Bots from both the activity-level and threat complexity. To combat this, we’ve introduced Advanced Bot Protection (learn how Advanced Bot Protection is integrated into Imperva’s Cloud Application Security, here) that uses Machine Learning – this collects and analyzed data behavior for anomalies, and also incorporates advances in biometric data validation (e.g., mouse movements, mobile swipe, and accelerometer data, etc.) to catch malicious Botnets that attempt to hijack devices. We’re proud to say that we’ve become the industry leader in protecting and providing insights on advanced bots (download the 2021 Bad Bot Report).

Cybercriminals today are using AI, which typically runs on a supercomputer and is programmed to attack at any moment. Enterprise security professionals know the adage of ‘not bringing a knife to a gunfight’ and are continuing to seek out security solutions with advanced technologies to make their response a fair fight. Unfortunately, due to digital transformation initiatives or the post-covid era, the attack surface for enterprise continues to grow as threats continue to innovate, with the likes of botnet swarms and crypto-mining malware. Whether these threats are from individuals or nation-states, the intent to exploit has…

Source…