• About
  • Archive
  • Contact
  • basefarm.com
Basefarm Blog
  • Big Data blog
  • Cloud blog
  • Security blog
  • DevOps blog
  • Menu

How a Web Application Firewall can protect against bad coding

By: Hans-Petter Fjeld and Abel De Kat Angelino, Information Security Engineers at Basefarm

You might think, and you could even be right in that your own web application is perfectly written with zero bugs, so that no attacker can obtain information they should not be able to. But what about the software surrounding your web application? Unfortunately, this software often is things you don’t have control over like frameworks, web servers, operating systems, and sometimes even hardware.

The aim of a Web Application Firewall (WAF), is to ensure that your web application is kept safe even if there are coding mistakes in it or in any of the underlying systems or frameworks it runs on top of.

A WAF, given the correct setup of rules, could for example protect your web application against unknown threats, so called Zero Days. One example is the Command Injection exploit that was released for Apache Struts which allowed an attacker to simply modify the Content-Type header, in order to gain direct access to the server, which would have allowed the user to steal data and move further into the network. By utilizing a WAF, customers were able to protect themselves against the attack even before a patch was available. This was possible because the intelligence built into it could recognize that a Command Injection was attempted and thus block it.

In another layer, you would have your Web Server which your web application runs on top of. Vulnerabilities occurs on it from time to time, and sometimes they will not get patched. One example is CVE-2017-7269 which had a known exploit available, but Microsoft said they wouldn’t patch. In this case, a WAF would be able to assist you.

As you can see, it’s not only your own web application that is a target here, it’s your entire environment. So, even though there is never a silver bullet when it comes to IT-Security, you should always work to keep your code as well-written as possible to avoid potential breaches. Moreover, a WAF is one of the most important aspects when it comes to your ability to defend your web application against data breaches.

-Let’s Be Careful Out There (Hill Street Blues)

If you are interested read more here:

http://bfblogg.wpengine.com/blog/are-you-prepared-for-ddos-attacks/

Or contact us and we will get back to you!

Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on Pinterest
  • Share on Linkedin
  • Share by Mail

Recent Posts

  • Why is running a Kubernetes employee challenge a good idea?
  • Local privilege escalation vulnerability in Linux
  • Who is reeling in the phish?
  • Supply chain attacks and Zero-days
  • 0-days in Microsoft exchange servers
Subscribe via RSS

Recent Comments

  • kuncham on Oracle fixes vulnerabilities
  • Oracle Appications on Oracle Patch Update April 2013
  • Anudeep on How to install Logstash on Windows Server 2012 with Kibana in IIS.
  • Kumar on How to install Logstash on Windows Server 2012 with Kibana in IIS.
  • Øyvind Dyrnes on December 2 – Regularly download security updates and “patches”

Archive

  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013
  • 2012
  • 2011
© Copyright - Basefarm Security Blog
  • Facebook
  • Twitter
  • Instagram
  • Mail
Hackers Turn to Python as Attack Coding Language of Choice Why use a Managed Service Provider for Amazon Web Services
Scroll to top