Breaking the Barrier: Exploring modern WAFs - Ethan Havinga

In an era where web threats evolve as quickly as the technologies we deploy, the temptation to rely on Web Application Firewalls (WAFs) to mitigate holes in a web application's security is high. But how effective are these digital shields? Could they be more prone to error than we think? This talk will uncover the gaps within our WAF defenses, examining a variety of WAF bypass techniques, both complex and simple. By showcasing these potential weaknesses, we can get a better understanding of the state of modern WAFs so that teams know what to expect when choosing to fall back on WAFs for "protection". Introduction: The introduction will start with a brief overview of my background and experience in cybersecurity, setting the stage for the discussion to come by giving a high-level overview of Web Application Firewalls. During the WAF overview, the talk will focus on why WAFs don't remediate security vulnerabilities and instead mitigate them. I will give some well known examples and set out the expectation that WAFs are generally expected to cover the OWASP Top 10. Understanding WAFs: In this section, I will introduce the audience to the fundamental aspects of Web Application Firewalls (WAFs), by exploring their architecture and the roles they play in protecting web applications and simply what makes a WAF a WAF. We will discuss how the WAFs are designed to filter and monitor HTTP traffic between a web application and the internet. By understanding the general purpose of WAFs and where we usually find them, we can see how they fit into a broader security environment. I will also go into some security overlaps that exist when choosing a WAF not developed with an organisation's custom implementations (eg: Custom Cryptography, Custom Querying Syntax) in mind, and how this can defeat the purpose of having a WAF. WAFs In Modern Times: It is essential to understand what makes a modern WAF and the key features and improvements that set apart older WAFs from modern ones. I will run through what modern WAFs are expected to cover in contrast to what older and deprecated WAFs cover. We will look at the historical development of WAFs and what evolution WAFs have gone through to get to where they are today. I will also briefly highlight the great value of having a WAF be open-source and the developmental benefits that unlocks through community-driven development. The Good: To start off we will focus on what WAF's generally do well and what expectations we can have for them. We see how WAFs react when given payloads from some common vulnerabilities listed in the OWASP Top 10 and give a high-level overview of how specific payloads are detected. The discussion will include points about what parts of the payload are detected and because of this the audience will better understand why we obfuscate the parts of payloads that we do, in order to get a working bypass. The Oopsies: In contrast to the above section we will focus on modifying the payloads attempted in the previous section, based on the aspects of a payload that were detected. Furthermore we will look at exactly what changes were made to payloads and why those payloads might have worked. This leads to a better understanding as to how bypasses are developed and gives a rough methodology that we can follow when approaching the creation of WAF bypasses. Learning from Bypasses: This section will focus on how we can learn from the bypasses discussed in the previous section and expand on the rough methodology in order to transform it into a more concrete methodology that we can practically use. The methodology will focus on 3 aspects: Identify -- the specific keywords blocked by a WAF Obfuscate -- the keywords in various manners Test -- the obfuscated payloads In Denial: It is also necessary for us to talk about how WAFs are used to mitigate vulnerabilities and why this has the potential to create an illusion of security. This will also highlight the importance of root cause remediations in place of WAFs while still acknowledging the improvement to the overall security posture of a web application that a WAF can provide. =========================================================== About the speaker: Ethan Havinga My name is Ethan Havinga, I recently finished high school and was lucky enough to join an internship at MWR CyberSec where I now work fulltime as a Cybersecurity Consultant with a focus in the web application security space. I enjoy delving deep into obscure and often overlooked topics, I find that you often find the coolest things in the topics people tend to miss. In my free time I am somewhat of a reader, and enjoy the odd book on historical texts specifically that of religious philosophy. =========================================================== Thanks to our AV sponsor Tenable for making these recordings possible.