A Web Application Firewall (WAF) is currently one of the most effective defenses against various attacks originating from the Internet. These hostile actions aim to cause service unavailability, data or identity theft, sometimes fraud, reputation damage to companies, ultimately exposing businesses to significant financial losses.

According to data from F-Secure, an average of 700 organized attacks per hour are carried out on Poland from multiple locations worldwide. Popular locations are presented in the diagram below (data from the F-Secure's Honeypot network).

Threats come from both Poland and around the world. Protection against them becomes necessary to maintain the continuity of services and applications provided to both customers and employees of an organization.

Most popular attacks

There are many types of attacks that unaware companies are often exposed to. The OWASP (Open Web Application Security Project), a leader in promoting knowledge of web application security, lists ten of the most popular attacks:

1. Injection attacks - can result in unauthorized access to sensitive data, enabling its theft, modification, or deletion.
2. Broken authentication - occurs when an attacker can leverage an existing session of an already logged-in user, thereby gaining full access to their information and permissions in the application they use.
3. Sensitive data exposure - exposes the user to data interception, such as credit card information, which can lead to theft for unlawful online purchases.
4. XML external entities (XXE) attacks - can result in retrieving a file with usernames and passwords from a Linux/Unix system, which can then be decrypted through brute force.
5. Broken access control - exposes the user to unauthorized access to service functionality through errors in permission verification. This often occurs in situations where detailed documentation is provided for systems with public APIs, enabling attackers to analyze application logic to detect vulnerabilities.
6. Security misconfiguration - exploits default security settings in applications, often described in product documentation. Failure to change default login and password is the simplest example, which can have serious consequences for an organization.
7. Cross-site scripting (XSS) - may result in executing malicious code in the user's browser, such as stealing session cookies. In this case, attackers can take over a user's account using the stolen cookie.
8. Insecure deserialization - depending on the data serialized and the logic of deserialization, attackers can inject commands that are then executed on a remote server. The danger lies in gaining unauthorized access to the server or stealing sensitive data.
9. Using components with known vulnerabilities - attackers exploit known vulnerabilities in applications, often using publicly available exploits. Essentially, anyone with Internet access and no experience in hacking can remove or even steal sensitive data or cause service unavailability.
10. Insufficient logging & monitoring - while not an attack itself, it highlights the need for a monitoring system for web servers to detect unauthorized access that may occur in the future. Attackers could go undetected for a long time, for example, by using server resources or sensitive data.

Gathering information

The list of attack types is much longer than that presented by the OWASP in the Top 10 report. Companies wishing to increase their organization's security should initially gather the following basic information:

• Sources and locations of the most common attacks - this list will allow the creation of appropriate rules blocking access to applications.
• Types/categories of attacks - this will enable them to precisely enable security signatures that will block specific attacks.
• Most frequently targeted applications - with this knowledge, priorities for implementing WAF-type solutions can be established.
• The maximum number of requests (e.g., per second) that a given application can handle reliably - with this data, it is possible to establish upper limits for session or user requests to the application.

A WAF-type solution can be used to gather this information, primarily increasing the organization's awareness of the scale of attacks and protecting data both from customers and employees.

Solution

One of the most advanced solutions we implement for our clients is Citrix Netscaler ADC (Application Delivery Controller) and ADM (Application Delivery Management), which feature WAF functionality and other protections against attacks such as DoS. The Citrix Netscaler ADC/WAF system analyzes, logs, and blocks attempts to attack web applications in real-time. Thanks to IP Reputation functionality, the system can effectively block potential dangerous IP addresses. More about this functionality was described in the article "Citrix Netscaler and IP Reputation - a way to block dangerous sources to WWW applications." Another method is to install thousands of signature-based signatures based on regular expressions, which effectively detect and block known attacks. Rate Limiting functionality can be used to establish session or request limits for applications.

Special graphical dashboards in the Citrix ADM system are used to analyze attacks. Each application has a Threat Index, which provides administrators with information about the frequency of attacks. There is also information about the types of attacks over time.

The Netscaler ADM system also features a map showing the location of IP addresses from which attacks were carried out. It is possible, for example, to create a more restrictive security profile for a selected country/location.

More information about functionalities and solutions can be found in the Citrix Web App Firewall document and in the manufacturer's documentation or by contacting the author directly.

Benefits

The greatest benefit of implementing a WAF solution will primarily be the elimination of potential known vulnerabilities to attacks, prevention of leaks of sensitive data from customers and employees, protecting the company's reputation, as well as automatically or manually blocking sources of such attacks, thereby preventing resource saturation of the service, which could result in its total unavailability and generate financial losses for the enterprise.

Sources:

• OWASP Top 10 report
• Data from the F-Secure's Honeypot network
• Citrix Documentation

Do you have any questions? Learn more! Contact us!