Web Application Firewalls: Why does your site need one?

Written By Sam Lewis

Introduction

In an age where businesses rely heavily on the internet to connect with their customers, protect sensitive data, and deliver seamless digital experiences, the importance of safeguarding web applications cannot be overstated. This is where Web Application Firewalls (WAFs) step in as a vital security measure. In this blog post, we will explore what Web Application Firewalls are, why you need one, and how they can fortify your online presence against cyber threats, whether you are running an online business, are a casual blogger, or run a website of your own in any capacity.

Understanding Web Application Firewalls (WAFs)

A Web Application Firewall (WAF) is a specialized security solution designed to protect web applications from a wide range of online threats. Unlike traditional firewalls, which primarily focus on network-level security, WAFs operate at the application layer, scrutinizing the traffic to and from your web applications, making them an indispensable tool for modern cybersecurity.

Why Do You Need a Web Application Firewall?

  1. Protection from Common Web Threats:Web applications are constantly targeted by hackers who seek vulnerabilities to exploit. WAFs serve as the first line of defense against threats such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more. They filter out malicious traffic and prevent attackers from compromising your application.

  2. Mitigation of DDoS Attacks:Distributed Denial of Service (DDoS) attacks can overwhelm your web application with an excessive amount of traffic, causing downtime and disrupting your business. WAFs have the capability to detect and mitigate DDoS attacks, ensuring that your application remains accessible to legitimate users.

  3. Patching Vulnerabilities:Even well-maintained web applications can have vulnerabilities that might go unnoticed. WAFs provide a layer of protection while you work on patching these vulnerabilities. They can help bridge the gap between identifying a vulnerability and implementing a fix.

  4. Regulatory Compliance:Many industries have strict regulations regarding data protection and security, such as GDPR, HIPAA, or PCI DSS. Implementing a WAF can assist you in meeting these compliance requirements by safeguarding sensitive customer data.

  5. Real-time Threat Intelligence:Modern WAFs are equipped with threat intelligence capabilities that allow them to stay updated on the latest threats and attack patterns. This dynamic approach ensures that your web application is shielded from emerging threats as well.

  6. Customizable Security Policies:WAFs are highly customizable, allowing you to define specific security policies based on your application’s needs. This flexibility ensures that you can strike the right balance between security and usability.

  7. Improved Performance:Contrary to the misconception that WAFs slow down web applications, modern WAFs are designed to optimize performance. They can cache frequently accessed content, offload SSL decryption, and provide content delivery network (CDN) capabilities, all of which can enhance your application’s speed and reliability.

Real World Attacks From Savage Hack

Now that you are subject matter experts on what WAFs are and what they offer you, I want to take a dive into real-world attacks that have happened already against Savaghack.com! Keep in mind, this website has only been up and running for a matter of weeks at the time of this blog. I’m going to show you just how bad it really is, and if you, the website owner, didn’t have a firewall in place, just how bad it could be for your website completely unnoticed.

Day 1:

Starting from the first day I installed the WAF that I chose, I noticed immediately from reviewing the logs that my site was already under constant attack. If you’re familiar with WordPress and how its installation occurs and are familiar with its common folders, you will understand exactly what is going on in these images. Here is a screenshot of one of the logs I was reviewing.

As you can see, there is a blacklisted IP address of 37.139.129.244 that is apparently running a directory brute force scan on my website. They are looking for low-hanging fruit. This IP address was coming from the Netherlands, Amsterdam to be more specific. It is on a blacklist that my WAF currently has, which includes many countries as a whole, and specified IP addresses that are known to perform malicious activity. Fortunately for me, the WAF picked this up and delivered 403 server codes back to the person scanning, so that all they see is "Forbidden". The funny thing that caught my attention was them looking for a "shell.php" file. During Capture the Flag events, I’ll often name my reverse shells something like "shell.php", though if I were nefarious, I would avoid naming it something like that to help avoid detection. This wasn’t the only IP that was scanning my website; there were dozens of others, all from all over the world.

Day 2:

I decided to check the second day of having the WAF up to see if anything interesting was attempted. It did not fail me.

The second day had over 3,000 allowed requests, granted some of those were from me editing pages, adding things, etc. But I isolated my IP from the logs to discover only 426 requests were from my IP. So there were quite a few requests to the page on day 2 of the WAF being installed. Still, keep in mind this site is still very new and very small, and I haven’t really done any marketing at all. So if you’re a business owner or a blogger or site owner that has a ton of followers, subscribers, customers, etc... please take note of this.

As you can see from the logs, 89 requests were blocked. Blacklisted IP addresses were trying to access installation configuration files from the site to gain more intel on how to approach a hack. Others included "Bad bot" access denied, which simply means they did not include any user-agent in the headers. If you’re not familiar with user-agents, they basically describe what kind of browser is accessing your server. Google has its crawlers that will be marked as Google bot crawlers; if you’re using Firefox, it will be labeled as such. That field of a header should never be empty for normal legitimate use, so it is a huge red flag when it is empty. Other things like trying to bypass the firewall using PHP commands in the headers can cause this as well. Luckily, there are protections in place for such things.

Day 3: TODAY!

At the time of writing this blog today, there have already been 30 blocked requests and 1.2k allowed requests on my site. Also, keep in mind that just because a request is allowed, does not mean the end user got to see what they wanted to see. I have several pages off limits to anyone except my IP and that has MFA attached to it. So some of the requests were "allowed," but they were met with 403 Forbidden errors anyway, or a fun little image of my firewall.

I blacked out one of the IP addresses as it could have very well been a legitimate user (doubtfully though based on the location). At the time of the screenshot, I did not realize I had a configuration setting in the firewall that was blocking all registration to my site! It had gone unnoticed, but I did see it set today and disabled that setting so that anyone can register for the site. While it would be more secure that way, I’m soon wanting to build a community of users on the site. You can see in these logs, however, blacklisted IP addresses are still directory brute forcing my site. I don’t foresee attacks slowing down any time soon. I expect to see fake users registering accounts now that I took the restrictions off. They will then try to see how they can get further permissions as a site user or try to brute force an admin password (which has already occurred but was not successful). Should something occur, though, the WAF I use will remove all malware, undo the hacks, restore backups, etc., all automatically.

Conclusion

Just within the past three days, I have had quite a few attacks that were blocked because of my WAF. These attacks will only continue. It is nothing personal from the attacker's viewpoint. They are simply scanning websites, specifically any WordPress sites in my case, looking for that low-hanging fruit. When they realize there is nothing here for them, they will simply move to the next site. My suggestion to anyone that either has a site or is thinking of getting a site is to think about investing in a WAF. They are not too terribly expensive, and I would recommend Sucuri, as that is who I am currently using. The quote that comes to mind on this: "No one ever wants to pay for security until after a breach." Please, don’t let that be you.

Stay Savage.

-Sam

Sam Lewis
Previous

I Got My Degree in Cybersecurity, Now What?
Next

Nibbles Proving Grounds Walkthrough