Some of the highest profile breaches over the past few years were due to vulnerabilities in web applications.
Web application firewalls (WAFs) along with application vulnerability management (AVM) are the two central pillars of web application protection. Application vulnerability management via static/dynamic/interactive application security testing is used to detect and mitigate vulnerabilities in application before they are deployed in production. Not all vulnerabilities in the application can be detected in the testing phase before its deployment. In production, the onus for protecting web applications against attacks mostly rests on the WAFs.
In the light of these high profile breaches, the question arises about where and why WAFs fail and what can an enterprise do to improve its security posture against advanced attacks!
To understand some of the fundamental limitations of WAFs, let’s examine one such breach which happened at Equifax.
Equifax (Remote Code Execution Attack):
A critical Apache Struts vulnerability (CVE-2017-5638) was discovered and fixed two months before the Equifax attack. The assertion is that Equifax failed to update its software and the attacker was able to exploit the vulnerability in Struts 2 open graph navigation language (OGNL) runtime to execute code remotely on Equifax servers and gain unauthorized access. At K2, we ran the exploit against a vulnerable Struts application to execute the “ls” command on the server.
Below is the content sent to the vulnerable server that processes OGNL expressions sent as multipart form data and executes the command contained in it (shown in red).
In order for the WAF to detect that incoming content will result in command execution, it must decode and parse the content and match it with a known pattern. This approach has two problems. A) The WAF must know the pattern ahead of time, and B) It must have sufficient compute resources to match the known patterns (N) in the incoming data (M) that has computational cost ~0(NM). In the case of the exploitation of the Struts2 vulnerability, the pattern was not known and the WAF missed the attack. Therefore, we expect remote code execution attacks will remain one of the most dangerous category of attacks that WAFs will not be able to adequately defend against.
The increasing sophistication of attacks on web applications is outpacing the capabilities of WAFs. These attacks exploit nuances in modern web applications and cloud infrastructure that cannot be easily understood by WAFs and detected via a pattern matching based approach. A new approach is required to defend against these attacks and that approach must go beyond pattern matching and should be aware of application execution to differentiate between legitimate actions of the applications from attacks.
If you’re relying on a WAF to secure your web infrastructure, you should evaluate K2 Cyber Security’s next generation workload protection platform, offering application execution validation as part of our security offering. K2’s easy to deploy non-invasive agent installs in minutes and uses a deterministic technique of Optimized Control Flow Integrity (OCFI) to automatically create a DNA map of each application at runtime, which is used to determine that your application is executing correctly, offering extremely accurate attack detection that eliminates false alerts.
If you’re looking for an application security solution that meets today’s needs for security, with true zero-day attack detection and no false alerts, you can request a demo or follow up from our sales team.