Protecting Your Site Against Hacker Attacks - Nemesida WAF



    Modern realities show ever-increasing attacks on web applications - up to 80% of cases of compromised systems begin with a web application. The article will examine the most common vulnerabilities that are actively used by attackers, as well as effective methods to counter them using Nemesida WAF.

    With the increasing number of tools and attack techniques, it becomes more and more difficult to ensure the availability of the site, to protect the web application or its components from hacking and spoofing of content. Despite the efforts of technical experts and developers, the defending side traditionally takes a catch-up position, implementing protective measures after the web application has been compromised. Websites are attacked due to public accessibility, poorly written code, the presence of errors in the configuration of the server side, as well as the lack of control by the IS service, thereby providing attackers with access to critical data.

    In this regard, there is a need to use protective tools that take into account the architecture of the web application, and do not lead to delays in the site.

    Zero day vulnerabilities


    A zero-day or 0-day vulnerability is a previously unknown vulnerability exploited by cybercriminals. The origin of the term is due to the fact that the vulnerability or attack becomes publicly known until the software manufacturer releases bug fixes (that is, the vulnerability could potentially be exploited on working copies of the application without the ability to protect itself from it).

    The nature of zero-day vulnerabilities allows attackers to successfully attack web applications from a few minutes to several months. Such a large period is due to many factors:

    • vulnerability must be localized and eliminated;
    • Roll out a workable patch;
    • Notify users of a problem
    • application users can start the patch management process (which can be very difficult to do “here and now” on a large project).

    This is another important factor - for a new vulnerability, there may not be rules or exceptions in the defense system, and the signature of the attack may not be recognized by classical defense means. In this case, the use of a whitelist of behavioral analysis of a specific web application will help to minimize the risks of zero-day attacks.

    An example is the chronology of the Struts2 attack: CVE-2013-2251 Struts2 Prefixed Parameters OGNL Injection Vulnerability - a few days have passed since the appearance of the “combat” exploit before many companies were able to roll the patch.

    However, when using protective equipment, it was possible to identify a request of the form: to block an attack, because it is clearly not legitimate in the context of user actions.
    http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


    Classic Attacks


    Statistics show that many web applications are compromised in the same way as they were years ago - they are all sorts of injections, inclusions, client-side attacks, therefore a defensive means should be able to detect and block attacks aimed at exploiting the following vulnerabilities:

    • SQL Injection - sql injection;
    • Remote Code Execution (RCE) - remote code execution;
    • Cross Site Scripting (XSS) - cross-site scripting;
    • Cross Site Request Forgery (CSRF) - cross-site request forgery;
    • Remote File Inclusion (RFI) - remote inclusion;
    • Local File Inclusion (LFI) - Local Inclusion;
    • Auth Bypass - authorization bypass;
    • Insecure Direct Object Reference - unsafe direct references to objects;
    • Bruteforce - password selection.

    In an ideal web application, such vulnerabilities should be detected and fixed at the development stage: a static, dynamic, interactive analysis should be carried out, anomalies in the logic of the application should be detected. But, often, such moments for one reason or another are overlooked, there is no time or money left for them.

    Application-level protection


    Web applications differ from ordinary applications in two ways: huge diversity and significant interactivity. This creates a whole host of new threats that traditional firewalls cannot handle.

    The application layer protocol - the protocol of the upper (7th) layer of the OSI network model, provides the interaction of the network and the user. The level allows user applications to have access to network services, such as a database query handler, file access, and email forwarding. Protection at the application level is the most reliable. Vulnerabilities exploited by cybercriminals often rely on complex user input scenarios, which makes them difficult to detect using classic intrusion detection systems. Also, this level is the most accessible from the outside. There is a need to understand the groups of protocols and dependencies inherent in web applications that are built on the http / https application protocols.

    The main principle of site security at the application level is verification and filtering of request data transmitted by GET, POST, etc. Substitution or modification of the request is the basic basis of almost all methods of hacking and attacks on sites.

    Attack targets


    Web applications can be attacked regardless of their affiliation with a particular field of activity: sites of low traffic that do not operate with large volumes of information and do not store critical data can be attacked as a result of inappropriate attacks. Significant sites with high traffic indicators, huge amounts of user data, etc. are an attractive target for attackers and are attacked almost daily:

    • Every third site has been hacked or attacked by hackers;
    • 80% of sites are hacked during inappropriate attacks using popular scanners or utilities;
    • About 60% of hacked sites were infected and blocked by search engines.

    For sites that operate with billing data processing online transactions, there are specialized requirements for compliance with the PCI DSS standard. Payment Card Industry Data Security Standard (PCI DSS) is a payment card industry data security standard developed by the Payment Card Industry Security Standards Council (PCI SSC), established by the international payment systems Visa, MasterCard, American Express, JCB and Discover.

    Paragraph 6.6 states that in addition to conducting an audit of a web application, it is necessary to ensure the use of specialized protective equipment:
    To gain a better understanding of the Requirement 6.6, we should refer to PCI DSS 3.1 standard which says that public-facing web applications shall “address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.”
    What is important here is the “on an ongoing basis” condition, which makes it very clear that web security is a permanent process and highlights the importance of continuous web security.
    PCI DSS proposes two ways to achieve this requirement:
    “Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.”
    “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.”

    Clause 6.6 is mandatory if the web application is included in the CDE (Cardholder Data Environment).

    Securing the site


    The best solution for securing the site is the use of Web Application Firewall - an application-level firewall that allows you to effectively protect sites from malicious attacks.

    Web Application Firewall is a special mechanism that imposes a specific set of rules on how the server and the client interact with each other, processing HTTP packets. It is based on the same principle as in ordinary user firewalls - control of all data that comes from outside. WAF relies on a set of rules by which the fact of an attack is detected by signature - signs of user activity that may indicate an attack.

    How it works


    The Web Application Firewall operates in a transparent proxy mechanism, analyzing data coming from the client on the fly and rejecting illegitimate requests:



    After installing the Web Application Firewall, you need to configure it for the target web application - depending on the type and type of CMS, filtering settings that take into account the web application are added and rules and protective equipment are transferred to the training mode to collect reference models of communication with the web application, identifiers, etc.

    After the machine learning stage, the combat mode is activated, which operates with both ready-made filtering rules and the best practices collected at the training stage to detect and block attacks.

    The effectiveness of the Web Application Firewall application consists of several factors:

    • Easy integration into infrastructure;
    • Flexible adaptation system with web application;
    • Block threats OWASP Top 10;
    • Analysis and blocking protocol anomalies or data;
    • Detection and blocking of falsification of session identifiers;
    • Detection and blocking of password guessing;
    • Inspection of server responses for critical data;
    • Dynamic update of attack signatures;
    • Low number of false positives;
    • Self Defense WAF;
    • Convenient service of informing about attacks;
    • Statistics and regulatory reporting.


    One of the sources for identifying new scenarios and implementing attacks on web applications is the Penetration Testing Labs, which imitate the real infrastructure of modern companies. The laboratories are attended by about 9,000 information security experts from around the world, with different levels of training, skills and tools. Analysis of attacks aimed at laboratory objects allows us to compose models of the intruder and the implementation of attack vectors.

    This data is carefully analyzed and based on them new filtering rules are added. Thus, our solution is able to provide full protection of the site from various types and types of attacks.


    Nemesida WAF is a Web Application Firewall that allows you to effectively protect sites from hacker attacks even if the site has a zero-day vulnerability.

    Also popular now: