LAST UPDATED March 22, 2022
Overview
A Web Application Firewall (WAF) can be a very effective security control to protect your Internet-facing applications from botnets, targeted attacks, and general “Internet noise” generated by attempted exploitations. But is concentrating solely on actual attack vectors instead of the attacker the right way to address the problem?
Sure, most WAF solutions will be able to detect an obvious SQL injection or XSS attempt, but can they combat a barrage of WAF bypass techniques, such as multi-level URL encoding? What about other obscure request encodings that only specific web server technologies will understand and parse?
After detecting a web application firewall, the first thing an attacker will do is fingerprint the engine and then attempt various bypass techniques. Even if your current WAF can recognize and combat all currently known bypass techniques, new approaches are being developed as we speak.
Clandestine agencies long ago discovered that using disinformation was a more effective strategy to neutralizing internal leaks. Why not apply same logic in a web application firewall?
“How” vs “Who”
To improve your standard WAF, we advise concentrating on “Who” instead of “How.”
Here’s why…
According to CSO, financial incentives are the primary driver for attackers, lately manifesting themselves as ransomware or resource thefts to mine crypto currencies such as Monero (XMR).
Not all attackers are created equal, however. Some will attempt a known zero-day attack on every site available to them, while others will engage in a multi-faceted, targeted attack that includes web application attacks, phishing, and other forms of social engineering.
Thus, the risk profiles of various actors can be vastly different. For example, botnets trying the same attacks repeatedly can be easily detected and thwarted, whereas sophisticated, stealthy attackers are more difficult to detect and track, especially when only passive techniques are utilized. To truly understand the “Who” in real-time and with high precision, we recommend adopting a series of proactive “interrogation” techniques.
Active Fingerprinting
One such proactive technique we can use to better understand the type of attacker and associated risk is active fingerprinting. This is also where disinformation comes into play.
As a web application firewall, we sit in-line or your web application traffic, which allows us to inject various “disinformation” pieces into responses. A simple example to showcase this is injecting a hidden form into a response to weed out botnets that do not execute JavaScript.
Simple Botnet Detection
Let’s say we inject the following into a response:
Lorem ipsum dolor sit amet…
Any normal user leveraging a browser that supports JavaScript will see the following:
But a botnet with no JavaScript capability will interpret the same input as follows:
The goal here is simple – if we receive any submissions to this form, we can immediately flag it as a potential attacker and our disinformation campaign has paid off.
This is a basic example. The reality is, more sophisticated botnets exist that are built on top of headless browsers, which are perfectly capable of executing JavaScript. Thanks to a myriad of other techniques, such as HTML header injection, cookie injection, and JavaScript fingerprinting, there are many other ways to identify bots that we will not disclose for obvious reasons.
Finally, to detect even the most sophisticated of botnets that can interpret all of these and pretend to be a human, we can use new Proof Of Work (PoW) algorithms. These algorithms will force a botnet engine to perform work and waste precious cycles, making your website a much less attractive target.
The Sophisticated Attacker
When it comes to baiting a sophisticated attacker, a different, perhaps more psychological approach, is required.
Most targeted web application attacks will involve a transparent proxy engine, which allows an attack to intercept and modify requests and responses. These tools are used to explore a web application looking for potential injection points against which attacks, such as SQL Injection, can be launched.
To bait an attacker, we can inject a hidden “sso” field into a login form:
Lorem ipsum dolor sit amet…
If the attacker notices a hidden “sso” field, there is little doubt they will want to explore it to see if setting it to “true” will allow them to bypass the login form. On the WAF engine we know that we should always see “false” in that field, anything else indicates a potential attack.
Another technique an attacker may utilize is blind SQL Injection – this is a type of attack that asks the database true or false questions and determines the answer based on the applications response. These attacks are frequently launched using time-based techniques such as using the “waitfor” keyword in Microsoft SQL server. For example, “waitfor delay ‘00:00:5’” will pause the response for 5 seconds if an injection attack is successful.
These types of requests can be easily intercepted and allow us to intentionally pause attacker queries for 5 seconds making them think the attack was successful, thus wasting their time on a false injection point.
Once again, it is important to note that while these are fairly basic examples, even these techniques could prove more effective in profiling an attacker compared to standard passive approaches.
Conclusion
ThreatX’s SaaS-Based, Web Application Firewall includes multiple advanced interrogation techniques that aid in botnet and sophisticated attacker detection and also can very effectively replace manual human verification techniques such as CAPTCHA.
