Summary (TL;DR): In this article, we are going to discuss web application firewall. We’ll explain what it is, what sort of attacks it can block, how to identify bad requests, and how it can benefit your app.
Web security might be overlooked until the site is hacked, flooded with spam, or its servers are down due to a DDoS attack. This is why it’s crucial to take preventative actions to protect your websites, databases, and servers from intruders.
The very first step to securing a web app is straightforward, simply don’t establish connections with suspicious or dangerous clients. Let’s see how firewall technology can help.
How the Web Works
To understand firewalls, let’s recall what the web is. The world wide web is basically a bunch of computers connected to each other via the internet. In this case, computers are everything: from cloud servers to mobile phones – every device that has access to the internet.
When you visit a website, you are performing a request to a server that gives you a response (in the form of a web page in this case). In other words, you connect to another computer to perform some action.
Not all connections are harmless. There are plenty of hazardous activities like cross-site forgery, cross-site-scripting (XSS), file inclusion, SQL injection, etc.
What Is a Web Application Firewall?
A web application firewall (WAF) is a filter that decides whether the HTTP client that performs a request is good or bad. Bad requests are blocked to prevent any suspicious activity.
Attacks That WAF Can Block
You may be surprised to learn there are many ways of hacking a website. Luckily, the majority of them are well-known, which means there are effective methods to prevent them. Let’s meet the most popular web attack strategies.
Cross-Site Request Forgery
A cross-site request forgery (CSRF) is a web attack that tricks users to execute actions they are unaware of to compromise credentials, stolen funds, etc. The foundation of this method is to make the authorized user send a state-changing request to perform actions like change email, change password, send a bank transfer, etc.
Another way CSRF attacks work is by mimicking the login form of a web app so that when a user visits it and enters their login and password, they are stolen.
In some cases, the original application may have vulnerabilities that make it possible for attackers to include CSRF into the website itself, using IMG or IFRAME tags with links.
The best way to avoid this attack is by users not following those links, which cannot be guaranteed due to the human factor. A more stable technique is to add rules to a WAF that will process state-changing requests differently. For example, show the browser confirmation window “Are you sure you want to change your password?”
Cross-Site Scripting
This technique is used by attackers to steal users’ data. To steal data, attackers insert a JavaScript code somewhere on the page (e.g. in the comments section if it doesn’t have validation to exclude the “script” tag), so anyone who visits the page executes the script. The JS code can pull users’ cookies that are used for authorization and send them to attackers, who will gain access to the victim’s accounts.
This attack is dangerous because it’s almost impossible for users to identify it. The good news is that the firewall can handle this threat very well and can find and exclude any JS scripts that interact with cookies in a way they shouldn’t.
SQL Injection
All web apps use databases of some kind, and SQL is the most popular language for databases. SQL injection attack is targeted to access data from databases by sending a request in a web interface or API that will send an SQL query to a server.
WAF works as a filter between app and server and checks whether the request is legitimate or not.
How To Identify Bad Requests
It’s a simple question that may be hard to answer. Have you ever solved a Captcha? This happens when the firewall is not sure whether you are good or bad, and there is no distinct line separating one from the other.
Yet, there are a set of footprints that signal the hazardous intentions of the request. Let’s meet some of them.
IP-Based
Some IPs perform shadier web activities than others. It can be a server with a spam bot installed on it or a proxy server that is used as an intermediary between the initial server and the destination.
There are many blocklists (e.g. Spamhaus) that store information on IPs that perform cyber attacks of all kinds. Knowing them, the firewall can identify the trustworthiness of a client immediately and refuse a connection to prevent the possibility of a web attack if needed.
Activity-Based
Not all bad IPs are known, so the IP-based method can still establish some unwanted connections. The firewall can store activity and analyze HTTP client behavior to identify such connections If it performs 100 requests in a second, tries to log in multiple times using different credentials, or requests unusual URLs – these patterns, along with others, can identify web attacks amongst other sessions.
Blacklist and Whitelist
Firewalls have a set of rules that reject connection (blacklist) or allow connection (whitelist).
The first set of rules allows access to every user, except for blacklisted ones. Such a firewall can be used for a website to block only suspicious requests, while regular visitors will be able to access the site with no problem. The most common case – blocking spam bots.
Whitelist works the opposite: it allows connection only for HTTP clients that meet some rules. For example, if you have a corporate database that isn’t meant to be accessed publicly, you can use a firewall that will let in only IPs from your corporate network. This ensures greater security because it adds an extra layer of protection – to hack, intruders not only need access to a database but also to a company’s VPN.
What Firewall Can Do for Your Web App
So, we’ve seen the theory, now let’s explore the benefits you get from implementing a firewall on your web app.
No Spam
If you have a forum or other opportunities for users to post content on your site, you will see many attempts to post links to shady resources. It can be solved through moderation, however, this solution is hardly scalable for large traffic numbers.
There are blacklists that contain well-known IPs that post a lot of spam content. Denying sessions from those IPs will exclude the majority of spam, and the rest can be handled by the app’s logic and/or moderation.
Also, there is external spam, meaning that other shady IPs pointing to your website – is no good by any means. To find those links, you can use SE Ranking’s backlink finder to get the referring IPs. Then perform a lookup of the list by well-known spam IPs databases – if there are any occurrences, you can reach out to the domain owner to remove links, or add them to the disavow tool in Google Search Console so those links will not impact SEO.
No Scam
Stealing user data is one of the most common methods of cyber attacks. It can be done in numerous ways, one of which is by implementing malware scripts to your web app. Activity-based firewalls with built-in vulnerability libraries can detect those attacks and prevent them, ensuring your user are safe.
Better Account Security
Bruteforce is a method of finding the right credentials to gain access to a web app by trying different combinations over and over again. Attackers not only can get access to a user’s account but also to the admin account.
Most login forms have attempt restrictions per IP but cannot protect against attackers with thousands of IPs and proxies – that’s when the firewall comes into play.
Protects Your Data
You probably have an important database, whether it’s user credentials or product-related tables. Neither should be accessed by anyone except trusted servers and users. The most effective way besides using hard passwords is to create a whitelist of IPs – only those can connect to a server.
Keeps Your Servers Running
DDoS attacks are still a popular method of cyber attack that shut down servers. They perform a ton of requests to the server, creating an extensive load that leads to a server error. The most effective way to prevent this from happening is to limit requests per second/minute for a single IP and block addresses that exceed this limit.
Conclusion
A Web Application Firewall is a must for modern web apps. It shields servers from an extra load, decreases spam, and most importantly, greatly improves security. The firewall solution depends on the app you have, but modern CDNs like Cloudflare, Cloudfront, or Azure have built-in WAF that is suitable for most applications.
