- We would like to know more details surrounding the WAF Phase 1 Blocking modules.
- Can you let us know the associated risks and perhaps examples for each module as well?
- Silverline WAF
- Module/Attack Signatures
- Phase 1 Blocking consists of 4 modules that are activated(WAF Setup: Blocking Phases):
- Illegal HTTP Status in Response
Description The server response contains an HTTP status code that is not defined as valid in the security policy. Risk Attackers take advantage of web servers' error responses to gain information on the underlying infrastructure. Attack Types Information Leakage Examples Prevents information leakage and hides web server errors. The WAF policy can block responses by their HTTP status code. This can be used to stop the viewing of potentially sensitive error pages.
- Illegal Method
Description The system checks that the request references an HTTP request method that is found in the security policy. Enforces desired HTTP methods; GET and POST are always allowed. Risk Attacks and problem that can be avoided:
- Deleted files from the web server by using the DELETE method.
- The use of other methods in some cases can lead to information leakage, server compromising, and data manipulation.
Attack Types Information Leakage Examples - Using the OPTIONS method on web servers can expose all methods which the web server supports.
- Using the DELETE method can delete files on the web server. However, in some cases, the use of this method is important for the proper functionality of the web application.
- Illegal URL (if disallowed URLs configured)
Description The system checks that the requested URL is configured as a valid URL, or not configured as an invalid URL, within the security policy. Risk Prevents forceful browsing, predictable resource location, and attackers from requesting URLs which are either sensitive or should not be publicly exposed. Attack Types Forceful Browsing Examples Allowing valid URLs, or blocking invalid URLs. To prevent access to the /admin.asp web page, which is not part of the public web site but an administration interface and to prevent access to default installation pages that may contain sensitive information.
- Attack Signatures
Description The system examines the HTTP message for known attacks by matching it against known attack patterns. Risk The attack categories that can be detected are:
- Cross Site Scripting (XSS)
- Command Execution
- Server Side Code Injection
- LDAP Injection
- XPath Injection
- Path Traversal
- Directory Indexing
- Information Leakage
- Predictable Resource Location
- Buffer Overflow
- Denial of Service
- Authentication/Authorization Attacks
- Abuse of Functionality
- Vulnerability Scan
- Detection Evasion
- Other Application Activity
- Other Application Attacks
- Non-browser client
- Remote File Include
Examples If you see an attack pattern that matches multiple requests from multiple IP addresses, consider disabling it as it may be a false positive.
There are multiple overlapping signatures for the same attacks, so in case you need to disable a signature, you still get protection.
- Illegal HTTP Status in Response
- Q&A: What is "Tuning" a WAF Policy? What is SOC vs. my responsibilities in this process?
- WAF Onboarding Video 4: WAF Policy Tuning Overview
- Q&A: What are the possible actions for attack signatures in Silverline?
- Q&A: Does Silverline WAF automatically update attack signatures?
- Q&A: What are the best practices for WAF policy implementation?