Follow

What are the details and inherent risks associated with the WAF modules for phase 2 blocking?

Question

  • Details surrounding the WAF Phase 2 Blocking modules
  • Associated risks and perhaps examples for WAF Phase 2 Blocking modules

Environment

  • Silverline WAF
  • Policy/Policies
  • Module/Attack Signatures

Answer

Phase 2 Blocking consists of 7 modules that are activated (WAF Setup: Blocking Phases): 

  • Cookie not RFC-Compliant
Description This violation occurs when HTTP cookies contain at least one of the following components:
- Quotation marks in the cookie name.
- A space in the cookie name or cookie value.
- An equal sign (=) in the cookie name.
Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed.
- An equal sign (=) before the cookie name.
- A carriage return (hexadecimal value of 0xd) in the cookie name.
Risk In many cases, cookies are used to track client data and application logic. Some web sites will crash if an improper formatted cookie is sent to them.
Attack Type HTTP Parser Attack
Example If there are no false positives, this violation should never happen, and if it does, it means that this is an attack.
  • Disallowed File Upload Content Detected

 

Description The system checks that the file upload content is not a binary executable file format.
Risk An attempt to upload an executable file may be an indication of a Trojan, virus, backdoor/shell attack, or other server compromise.
Attack Type Parameter Tampering
Example After successfully uploading malicious code to the web server, the attacker runs the program to gain remote access to the server or spread malware to other users of the application.
  • Failed to Convert Character
Description The system detects that one of the characters does not comply with the configured language encoding of the web application's security policy.
Risk An attacker can craft a request payload that will be used to hide buffer overflow attacks and other attacks such as XSS and SQL.
Attack Type Abuse of Functionality.
Example A malicious clients may use special characters to execute remote commands which may compromise the system.
Description This category contains a list of evasion techniques that attackers use to bypass detection.
Risk RFC Violation.
Attack Type Detection Evasion.
Example Directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal.
Description This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly.
Risk Various attacks can be launched over non-standard HTTP requests, for example, response splitting, buffer overflows, and denial of service.
Attack Type HTTP Parser Attack
Example An attacker may formulate HTTP request without following the RFC standards.
Description The system checks that the request length is not larger than the maximum memory buffer size of the ASM. Note that this is a BIG-IP unit parameter that protects the ASM from consuming too much memory across all security policies which are active on the device.
Risk Depletion of BIG-IP resources leaving the application unprotected.
Attack Type Abuse of Functionality
Example

The default maximum size for a BIG-IP ASM buffer is 10 MB or 10000000 bytes, a request will be blocked if this value is exceeded.

Malicious data can be easily delivered on larger requests.

  • Mandatory HTTP Header is Missing
Description The system detects requests that do not include a header configured in the security policy as being mandatory.
Risk Malicious clients do not commonly include a specific set of headers in the requests.
Attack Type Abuse of Functionality
Example Real browsers always send the following headers:
- User-agent
- Accept encoding
Used to block requests not generated by browsers, or enforces a scenario where, for example, all requests must arrive with a specific header (like a security header inserted by a proxy).

 

Related Content 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request