WAFCheck: a tool to assist in testing Web Application Firewalls (WAFs)
Abstract
Statistics indicate that up to 90% of applications made available on the Internet have some kind of software vulnerability. Recent studies also point out that application firewalls, better known as WAFs, can help to mitigate the exploitation of more than 70% of web system vulnerabilities. However, determining the capability and quality of a WAF can be challenging. We propose the WAFCheck tool to assist in testing latency, load and detection accuracy of WAFs. WAFCheck allows the inclusion and evaluation of different sets of payloads, which are used to exploit web system vulnerabilities. Using several hundred payloads of the ten most recurrent vulnerabilities according to OWASP, we evaluated the performance of ModSecurity, Naxsi, ShadowD and xWAF free WAFs, demonstrating the functioning and applicability of the WAFCheck tool.
Keywords:
Security, Web Application Firewalls, Vulnerability
References
ACUNETIX (2019). Web application vulnerability report. https://bit.ly/36LaeNG.
CIMPANU, C. (2019). Security bug would have allowed hackers access to google’s internal network. https://zd.net/2F8Mju8.
CLINCY, V. and SHAHRIAR, H. (2018). Web application firewall: Network security models and configuration. In 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), volume 01, pages 835–836.
FERRAO, I. G. (2018). Análise black-box de ferramentas de segurança na Web. Trabalho de conclusão de curso, Universidade Federal do Pampa. Orientador: Diego Kreutz.
FERRAO, I. G., de MACEDO, D. D. J., and KREUTZ, D. (2018). Investigação o do impacto de frameworks de desenvolvimento de software na segurança de sistemas web. In 3° Workshop Regional de Segurança da Informação e de Sistemas Computacionais.
HACKERONE (2019). The hackerone top 10 most impactful and rewarded vulnerability types. https://www.hackerone.com/resources/top-10-vulnerabilities.
MELCHIOR, F., KREUTZ, D., and FIORENZA, M. (2019). Web Application Firewalls (WAFs): o impacto do número de regras na latência das requisições Web. In 4° Workshop Regional de Segurança da Informação e de Sistemas Computacionais.
MELCHIOR, F., KREUTZ, D., and FIORENZA, M. (2020a). Web Application Firewalls (WAFs): o impacto do número de regras na latência das requisições Web. Revista Eletrônica Argentina-Brasil de Tecnologias da Informação e da Comunicação, 3(1). Edição especial da versão extendida dos melhores trabalhos do WRSeg 2019.
MELCHIOR, F. H., KREUTZ, D., FIORENZA, M., FLORA, F., FERRAO, I., FERNANDES, R., ESCARRONE, T., and MACEDO, D. (2020b). Introdução à Web Application Firewalls (WAFs): Teoria e prática. In Minicursos da XVII Escola Regional de Redes de Computadores. SBC. https://doi.org/10.5753/sbc.5929.0.5.
MOOSA, A. and ALSAFFAR, E. M. (2008). Proposing a hybrid-intelligent framework to secure e-government web applications. In Proceedings of the 2Nd International Conference on Theory and Practice of Electronic Governance, pages 52–59. ACM.
OWASP (2020). Top 10 2020. https://bit.ly/395k2Uh.
RAO, G. R. K., PRASAD, R. S., and RAMESH, M. (2016). Neutralizing cross-site scripting attacks using open source technologies. In Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, pages 24:1–24:6. ACM.
RAZZAQ, A., HUR, A., SHAHBAZ, S., MASOOD, M., and AHMAD, H. F. (2013). Critical analysis on web application firewall solutions. In 2013 IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS), pages 1–6.
SINGH, J. J., Samuel, H., and Zavarsky, P. (2018). Impact of paranoia levels on the effectiveness of the modsecurity web application firewall. In 2018 1st International Conference on Data Intelligence and Security (ICDIS), pages 141–144.
SROKOSZ, M., RUSINEK, D., and KSIEZOPOLSKI, B. (2018). A new waf-based architecture for protecting web applications against csrf attacks in malicious environment. In 2018 Federated Conference on Computer Science and Information Systems (FedCSIS), pages 391–395.
CIMPANU, C. (2019). Security bug would have allowed hackers access to google’s internal network. https://zd.net/2F8Mju8.
CLINCY, V. and SHAHRIAR, H. (2018). Web application firewall: Network security models and configuration. In 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), volume 01, pages 835–836.
FERRAO, I. G. (2018). Análise black-box de ferramentas de segurança na Web. Trabalho de conclusão de curso, Universidade Federal do Pampa. Orientador: Diego Kreutz.
FERRAO, I. G., de MACEDO, D. D. J., and KREUTZ, D. (2018). Investigação o do impacto de frameworks de desenvolvimento de software na segurança de sistemas web. In 3° Workshop Regional de Segurança da Informação e de Sistemas Computacionais.
HACKERONE (2019). The hackerone top 10 most impactful and rewarded vulnerability types. https://www.hackerone.com/resources/top-10-vulnerabilities.
MELCHIOR, F., KREUTZ, D., and FIORENZA, M. (2019). Web Application Firewalls (WAFs): o impacto do número de regras na latência das requisições Web. In 4° Workshop Regional de Segurança da Informação e de Sistemas Computacionais.
MELCHIOR, F., KREUTZ, D., and FIORENZA, M. (2020a). Web Application Firewalls (WAFs): o impacto do número de regras na latência das requisições Web. Revista Eletrônica Argentina-Brasil de Tecnologias da Informação e da Comunicação, 3(1). Edição especial da versão extendida dos melhores trabalhos do WRSeg 2019.
MELCHIOR, F. H., KREUTZ, D., FIORENZA, M., FLORA, F., FERRAO, I., FERNANDES, R., ESCARRONE, T., and MACEDO, D. (2020b). Introdução à Web Application Firewalls (WAFs): Teoria e prática. In Minicursos da XVII Escola Regional de Redes de Computadores. SBC. https://doi.org/10.5753/sbc.5929.0.5.
MOOSA, A. and ALSAFFAR, E. M. (2008). Proposing a hybrid-intelligent framework to secure e-government web applications. In Proceedings of the 2Nd International Conference on Theory and Practice of Electronic Governance, pages 52–59. ACM.
OWASP (2020). Top 10 2020. https://bit.ly/395k2Uh.
RAO, G. R. K., PRASAD, R. S., and RAMESH, M. (2016). Neutralizing cross-site scripting attacks using open source technologies. In Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, pages 24:1–24:6. ACM.
RAZZAQ, A., HUR, A., SHAHBAZ, S., MASOOD, M., and AHMAD, H. F. (2013). Critical analysis on web application firewall solutions. In 2013 IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS), pages 1–6.
SINGH, J. J., Samuel, H., and Zavarsky, P. (2018). Impact of paranoia levels on the effectiveness of the modsecurity web application firewall. In 2018 1st International Conference on Data Intelligence and Security (ICDIS), pages 141–144.
SROKOSZ, M., RUSINEK, D., and KSIEZOPOLSKI, B. (2018). A new waf-based architecture for protecting web applications against csrf attacks in malicious environment. In 2018 Federated Conference on Computer Science and Information Systems (FedCSIS), pages 391–395.
Published
2021-10-04
How to Cite
MELCHIOR, Felipe Homrich; FIORENZA, Maurício; KREUTZ, Diego.
WAFCheck: a tool to assist in testing Web Application Firewalls (WAFs). In: TOOLS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 18-25.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17335.
