Among the wide range of solutions to protect security, there are very specialized equipment according to purpose; One such equipment is called Web Application Firewall
According to OWASP is a Web application firewall or «WAF« which is a device, server plugin, or filter a set of rules that applies to an HTTP conversation. In general, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules for its implementation, many attacks can be identified and blocked.
Evidently a WAF is not a UTM , the WAF it is a device or software that specifically focus on protecting applications or Web systems, it is necessary therefore that in the previous article where through testing against UTM most attacks on web applications, were not blocked by the team.
Thanks to Yishay Perry (www.fil.org.il) who specializes in Fortinet solutions and a colleague in the area of perimeter security, gave me the possibility to access the Fortinet WAF called FortiWeb, where we implemented a scenario suitable to perform some tests of the security offensive and validate if the team could block some of the attacks more representative on web applications.
Scenario:
Test 1 – Cross-site scripting XSS
The detection of XSS attacks are most complicated to be detected by traditional UTM in this case we see how the WAF reacts to this vulnerability.
Xss tested the following string: alert (document.cookie)
see that reflected XSS is completeRetest the same test but now with the WAF protects web application
see that the WAF reacts and blocks the execution of reflected XSS
Also the WAF generates the event log.Test 2 – File Inclusion
This is another vulnerability difficult to detect , let’s see how he reacts.
A. Without the WAF protects web application
We tested the following path inclusion: /etc/passwd
see that the command completes and returns the contents of /etc/ passwd file in the web application
B. With the WAF protects web application
Retest the same test but now with the WAF protecting.
We also see that the WAF reacts and blocks the execution of XSS
as in the previous test we see that the WAF generates the event log.
Test 3 – Website Defacement
The defacement or defaseo of pages is an attack fairly common these days, let’s see how the WAF reacts.
Scenario: In this case we managed to climb a webshell, upload through a form, then detected the file index.php is the main page of the website and are in the process of save our defacement in the file, as shown below:
A. Without the WAF protects web application
Without the WAF protecting , may save the file and complete the defacement as follows:
B. With the WAF protects web application
Retest trying to save the index.php file with the WAF protecting and it reacts like this:
Likewise, the event is recorded as shown below:
WAF prevents defacement.
Conclusions
- Have a much more specialized equipment allows web attacks greatly reduce the chances that can exploit vulnerabilities in applications, such as the case of the FortiWeb
- All tests were positive about the WAF, it is because, there has been specific configuration to protection for the application that is being defended, ie whatever the WAF solution is used, it is necessary to make custom settings on device .
- This guide is intended to show that for any equipment or solution to protect the security, it is highly recommended that offensive security testing to validate each of the security rules that the device offers are made.
- I can say that FortiWeb is a pretty good device that protects the assessed vulnerabilities.
In another article we will see how to implement a WAF some solutions based on existing free software.
Regards
Juan Oliva
@jroliva
Juan Oliva 
Replica a find the best deal Cancelar la respuesta