Sep 28 2022

How Can WAF Prevent OWASP Top 10?

Category: next generation firewall,Web SecurityDISC @ 9:11 am

The OWASP Top 10 security risks point out the common vulnerabilities seen in web applications. But it does not list the set of attack vectors that WAFs (Web Application Firewalls) can simply block. This is but a myth often propagated by many a security vendor. OWASP Top 10 protection is the joint responsibility of the security vendor and the application developers.

There is a lot that an effective security solution and WAF can do to secure OWASP vulnerabilities. But in some cases, the security solution may not be able to give complete coverage against it and requires the developers/ organizations to take preventive action. 

In this article, we help you understand how a comprehensive, intelligent, and fully managed WAF can augment OWASP Top 10 protection. 

A Quick Introduction to WAF 

WAF is the first line of defense between the web application and the web traffic, filtering out malicious requests and bad traffic at the network edge. The best WAFs are part of larger security solutions that combine deep, intelligent scanning, bot management, API protection, etc., with OWASP protection. They also leverage self-learning AI, behavioral and pattern analysis, security analytics, global threat feeds, and cloud computing in combination with human expertise. 

WAFs and OWASP Top 10 Protection

Broken Access Control 

To effectively prevent this OWASP vulnerability, organizations must fix their access control model. WAFs can help organizations by 

  • Proactively identify attack vectors leveraged by attackers to exploit vulnerabilities such as design flaws, bugs, default passwords, vulnerable components, etc. 
  • Testing for the insecure direct object reference, local file inclusions, and directory traversals
  • Providing visibility into the security posture, including access control violations
  • Implementing custom rate limiting and geo limiting policies.

Cryptographic Failures

The encryption of everything, in rest and transit, is necessary for OWASP Top 10 protection against cryptographic failures. WAFs, augment protection by testing for weak SSL/TLS ciphers, insufficient transport layer protection, crypto agility, sensitive information sent via unencrypted channels, credentials transmitted over encrypted channels, etc. Organizations can then fix any issues that are identified. 


User input sanitization, validation, and parameterized queries are critical to prevent this risk. For OWASP protection against injections, WAFs use a combination of whitelist and blacklist models to identify all types of injection – command, SQL, code, etc. 

WAFs leverage behavior, pattern, and heuristic analytics and client reputation monitoring to proactively detect anomalous behavior and prevent malicious requests from reaching and being executed by servers. They use virtual patching to instantly secure injection flaws and prevent attackers’ exploitation. 

Also, Download Your Copy of OWASP Top 10 2022 Playbook

Insecure Design 

By integrating the WAF and the security solution right into the early stages of software development, organizations can continuously monitor and test for security weaknesses. For instance, organizations can identify insecure codes, components with known vulnerabilities, flawed business logic, etc., in the early SDLC stages by deploying a WAF and fixing them. This helps build secure-by-design websites and apps.  

Security Misconfigurations 

For OWASP Top 10 protection against security misconfigurations, WAFs use a combination of fingerprinting analysis and testing. They fingerprint web servers, web frameworks, and the application itself and test error codes, HTTP methods, stack traces, and RIA cross-domain policies to look for security misconfigurations. 

WAFs use automated workflows to intelligently detect misconfigurations, including default passwords, configurations, unused features, verbose error messages, etc. They virtually patch these misconfigurations to prevent exploitation by threat actors. They offer real-time visibility into the security posture and insightful reports, enabling organizations to keep hardening their security posture. 

Vulnerable and Outdated Components 

The intelligent scanning capabilities of WAFs enable organizations to continuously detect vulnerable and outdated components. Here, again instantaneous virtual patching helps secure these OWASP vulnerabilities until fixed by developers. 

Identification and Authentication Failures

Organizations must implement effective session management policies, strong password policies, and multi-factor authentication for OWASP Top 10 protection against identification and authentication failures. Intelligent WAFs leverage their strong technological capabilities to accurately identify these failures. 

They leverage their bot detection capabilities – workflow validation, fingerprinting, and behavioral analysis – to prevent brute force attacks, credential stuffing, and other bot attacks resulting from the exploitation of broken authentication and session management. 

Software and Data Integrity Failures

WAFs are equipped to detect these OWASP security risks effectively using their continuous scanning and pen-testing capabilities. They use a combination of negative and positive security models to prevent this risk. 

Security Logging and Monitoring Failures

The best WAFs offer ongoing logging and monitoring features and complete visibility into the security posture. They offer cohesive dashboards that can be used to generate customizable and visual reports, gain critical insights and recommendations to improve security, etc. 

Server-Side Request Forgery (SSRF)

For protection against SSRF, implementation of positive rules, user input validation, etc., by the organizations is critical. WAFs, on their end, can be configured to block unwanted website traffic by default, encrypting responses, preventing HTTP redirections, etc. 

OWASP Top 10 security risks

Web Application Firewall WAF A Complete Guide

Tags: Next-Gen WAF protection, OWASP Top 10, WAF

Mar 14 2021

Next-Gen WAF protection for recent Microsoft Exchange vulnerabilities

Category: Firewall,next generation firewallDISC @ 11:41 am

We strongly suggest that customers using Signal Sciences Next-Gen WAF in front of their Microsoft Exchange servers enable this rule as soon as possible and configure it to block requests if the signal is observed. Additionally, follow all guidance from Microsoft to patch affected systems. The vulnerabilities in question are actively being exploited globally and have severe impact.

Patching Microsoft Exchange systems

We are seeing a large uptick in exploitation attempts in the wild. This is an evolving story and our teams are working continuously to ensure the rules are catching the latest attacks, but this should not be your only line of defense. We strongly recommend that you patch affected systems, perform incident response,  and follow recommendations from Microsoft.

Exploit chain

The observed attacks on Microsoft Exchange systems chain together multiple CVEs (Common Vulnerabilities and Exposures) to carry out the attack. The impact of these attacks range from full system takeover through Remote Code Execution (RCE), as well as email inbox exfiltration and compromise. At a high level, the exploit chain is carried out as follows:

  1. A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server identified as CVE-2021-26855 allows attackers to send HTTP requests to the exposed Exchange server and access other endpoints as the Exchange server itself. This is an unauthenticated step of the attack which makes the vulnerability exceptionally easy to exploit.
  2. An insecure deserialization vulnerability identified by CVE-2021-26857 leverages the SYSTEM-level authentication obtained by the above SSRF attack to send specially-crafted SOAP payloads which are insecurely deserialized by the Unified Messaging Service. This gives the attacker the ability to run code as SYSTEM on the Exchange server.
  3. After CVE-2021-26855 is successfully exploited, attackers can then utilize CVE-2021-27065 and CVE-2021-26858 to write arbitrary files to the Exchange server itself on any path. This code that is uploaded by the attacker is run as SYSTEM on the server. Lateral movement, malware implanting, data loss, escalation, and more can be carried out through these vulnerabilities.

By enabling the Signal Sciences Next-Gen WAF templated rule, the first step in the exploit chain cannot be carried out. If you would like to dig deeper into the technical details of this chain of attacks please see this post by the folks at Praetorian. To enable the templated rule, please refer to our documentation for details on how to enable templated rules.

The post Next-Gen WAF protection for recent Microsoft Exchange vulnerabilities appeared first on Signal Sciences.

Your best practice guide to configuring Cisco’s Next Generation Firewall

Tags: Next Generation Firewall, Next-Gen WAF protection