On Web Application Firewalls (WAFs) and Scanning

On Web Application Firewalls (WAFs) and Scanning

A web application firewall (WAF) can prevent some common types of attacks and is an important part of a well rounded security toolkit. But WAFs are not a be-all, end-all solution to application security. There are many ways to bypass the protection that a WAF provides.

We like to think of it as if a WAF is like a gate surrounding a house, with the house being a web application. At the entrance to the gate, there is a security guard that decides who is allowed to enter the gate and get through to the house, and who is turned away.

But if you think about a gate in the real world, in theory there are many ways an intruder can get around it. They could distract the security guard and hop over the gate, disguise themselves as someone the security guard trusts, or even find a way to tear down the gate.

In any scenario, once they’ve gotten past that first layer of security, they are then free to find a way to get into the house. And if there’s something like a broken window or unlocked door, it’s not all that difficult for the intruder to make their way inside.

The same is true for WAFs and web applications. Once an attacker has found a way to bypass a WAF, They would then be free to exploit any vulnerabilities they find, as the WAF wouldn't be able to protect against it.

Why it’s important to scan WAF protected applications

If your web application contains things like…

  • Vulnerable software versions
  • Vulnerable JavaScript libraries
  • Business logic vulnerabilities
  • Information disclosure vulnerabilities
  • Account enumeration vulnerabilities

…a WAF cannot prevent exploitation because they don't involve payloads that a WAF would detect as malicious.

For example, let’s say your developer accidentally uploads a zip file containing sensitive information to a readable directory. In theory, an attacker could find the directory, download it, and view the contents because a WAF would not detect this activity as malicious.

You should also consider that WAFs are commonly bypassed because of a malfunction or a vulnerability that it contains itself. If your site experiences a heavy traffic period, it may fail to block attacks. If your WAF goes down or has a configuration change, your site is fully opened up to malicious actors.

The bottom line is that WAFs are a great tool, but that doesn’t mean your website doesn’t need to be regularly scanned and tested. If your website contains an exploitable weakness, a WAF might buy you time until your development team is able to fix it, but does not completely eliminate the risk of attack.

To reduce the risk of a breach, it’s important to continuously scan your assets so that you can see them as an attacker would. To ensure your scanners aren’t blocked by your WAF, it’s important to ensure you add the scanner IP(s) to your WAF allowlist (you should also add any penetration testers to your allowlist).

With Halo Security, you can get a complete view of your attack surface and find weaknesses that your WAF is not protecting against. To see how it works, start a free trial.

Editor's note (Sep 2022): This article was originally posted on the TrustedSite blog in May 2022. It has been updated for the Halo Security blog.