The Illusion of Security: Why Relying Solely on WAF is a Bad Practice

Our security research team has been looking into the security of WAF applications and discovered a concerning trend: while WAFs (Web Application Firewalls) are effective at blocking certain types of known threats, they are not a panacea. Many organizations rely solely on WAFs as a shield, assuming their applications are secure without further testing. This assumption leaves critical runtime vulnerabilities undetected.

WAFs operate based on predefined rules and signatures, which makes them powerful against known attacks but inadequate when it comes to zero-day threats or sophisticated attack vectors that don’t fit traditional patterns. They can’t fully simulate dynamic user interactions or detect issues that arise from complex workflows within an application.

To build a truly secure environment, organizations must complement WAFs with thorough dynamic testing strategies, like DAST. DAST goes beyond signature matching to probe the application as it runs, uncovering vulnerabilities that a WAF might miss entirely. This combination ensures robust defense and reduces the risk of security breaches.

A story from the team: 

Recently, Bright’s security team uncovered significant vulnerabilities in a major corporation with over $150 billion in revenue. The company, which utilises AngularJS and Akamai WAF, was found to be susceptible to prototype pollution, HTML injection leading to Open Redirect, and cross-site scripting (XSS) attacks. These vulnerabilities highlight a critical flaw in the company’s security strategy: an overreliance on WAF without adequate emphasis on secure coding practices, technology updates, and insufficient application-level security testing and scanning.

The lack of thorough application-level security testing and scanning is a significant issue. Many organisations rely heavily on perimeter defences like WAFs, which can miss vulnerabilities within the application itself. Application security testing tools, such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), are essential because they help identify and remediate vulnerabilities in the source code and running applications respectively​.

Without these tools, companies may fail to detect critical vulnerabilities early in the development process, leaving them exposed to potential exploits. This can lead to significant risks, including data breaches, financial loss, and damage to reputation. Furthermore, integrating security testing into the software development lifecycle (SDLC) allows developers to address issues promptly, reducing the overall cost and effort required for remediation​.

By not conducting sufficient application-level security testing, the organisation increases the likelihood that vulnerabilities will go undetected until they are exploited by attackers.

The Role of WAF in Security

Web Application Firewalls are designed to filter and monitor HTTP traffic between a web application and the Internet. They protect against common attacks such as SQL injection, XSS, and other OWASP Top 10 threats. While WAFs are an important layer of defence, they are not a silver bullet. WAFs can only protect against known vulnerabilities and attack patterns. They cannot defend against new, sophisticated, or zero-day attacks that exploit unknown vulnerabilities.

The Limitations of WAF

1. False Sense of Security: Relying solely on WAF can create a false sense of security. Organisations may neglect other essential security measures, assuming the WAF will catch all threats.

2. Bypass Techniques: Attackers continuously develop techniques to bypass WAF protections. This makes it critical to have additional layers of security. For example:

• Encoding and Obfuscation: Attackers often use sophisticated encoding techniques to disguise malicious payloads, making them difficult for WAFs to detect. For example, URL encoding and Base64 encoding can transform a payload into a format that bypasses WAF filters​.
• HTTP Parameter Pollution: By injecting multiple parameters with the same name, attackers can confuse WAFs, causing them to miss malicious content. This technique exploits how different components of the application process input parameters differently​.
• Behavioral and Machine Learning Limitations: Even advanced WAFs that use machine learning (ML) can be bypassed. Attackers can train their payloads to mimic legitimate traffic patterns, thereby evading detection. For instance, modifying attack patterns slightly or interspersing benign data with malicious code can trick ML-based WAFs. ML models can suffer from high rates of false positives and negatives. This means that they might block legitimate traffic (false positives) or allow malicious traffic (false negatives), especially when attackers craft payloads to appear as normal behaviour.
• Unknown Vulnerabilities: WAFs rely on known signatures and patterns to detect attacks. However, zero-day exploits, which target unknown vulnerabilities, can bypass WAF protections entirely. Attackers constantly discover new vulnerabilities that WAFs have not yet been trained to recognize, making it easy to bypass them using fresh, undiscovered exploits​

Real life examples:

1. Cloudflare WAF Bypass Leading to Reflected XSS:

• Blocked Payload: “><img src=x onerror=alert(1)>
• Bypass Payload: “><img src=x onerrora=confirm() onerror=confirm(1)>
• Explanation: The initial payload was blocked by Cloudflare, but by modifying the onerror attribute to include an additional, seemingly harmless attribute (onerrora=confirm()), the WAF was bypassed, resulting in a successful XSS attack when the second onerror executed.

2. Akamai WAF Bypass:

• Bypass Payload: <A %252F=""Href= JavaScript_k='a',top >
• Explanation: This payload uses URL encoding and JavaScript obfuscation to bypass Akamai’s WAF. The encoded %252F and obfuscated JavaScript (k='a',top ) trick the WAF into allowing the payload through, resulting in an XSS alert when executed.

<a/href="javascript:k='a';top.location='about:blank';">Click here</a>

3. Performance Overhead: WAFs can introduce latency and impact application performance, which might lead to trade-offs between security and user experience.

4. Limited Scope: WAFs primarily focus on web traffic and do not address underlying vulnerabilities in the code or application logic.

The Importance of Updating Technologies

In the case of the corporation mentioned earlier, their use of AngularJS, a framework that is no longer actively maintained, contributed to their vulnerabilities. Modern frameworks like Angular (the successor to AngularJS) offer improved security features and regular updates to address emerging threats. Sticking with outdated technologies exposes applications to known vulnerabilities that attackers can exploit easily.

The Necessity of Security Testing

Regular security testing, including static code analysis (SAST), dynamic analysis (DAST), and penetration testing, is essential to identify and remediate vulnerabilities. Security testing should be an integral part of the software development lifecycle (SDLC). Common automated tools usually aim for the long hanging fruits while missing the business logic vulnerabilities and multi-step attacks. However, as these tools evolve, they are increasingly aiming to address more sophisticated attack vectors, including multi-step exploits. Over time, advancements in automation will enable these tools to detect a wider array of vulnerabilities, potentially covering most, if not all, intricate attack scenarios.

Secure Coding Practices

Implementing secure coding practices is fundamental to building secure applications. Developers should be trained in secure coding principles and best practices, such as:

• Input validation and sanitization
• Proper error handling
• Least privilege principle
• Regular code reviews and audits

Conclusion

Relying solely on WAF for security is a perilous strategy. While WAFs are an important component of a comprehensive security strategy, they should not be the only line of defence. Organisations must prioritise updating their technologies, conducting regular security testing, and fostering a culture of secure coding. By doing so, they can build resilient applications that withstand the evolving threat landscape and protect their valuable assets and reputation.

For the corporation with over $150 billion in revenue, the vulnerabilities discovered underscore the need for a more holistic approach to security. Investing in modern technologies, continuous security testing, and secure development practices is not just advisable—it’s essential for safeguarding the future.

By addressing these fundamental aspects of security, organisations can move beyond the illusion of security provided by WAFs and build robust defences against the ever-growing array of cyber threats.

Subscribe to Bright newsletter!