How a Web Application Firewall can protect against bad coding
By: Hans-Petter Fjeld and Abel De Kat Angelino, Information Security Engineers at Basefarm
You might think, and you could even be right in that your own web application is perfectly written with zero bugs, so that no attacker can obtain information they should not be able to. But what about the software surrounding your web application? Unfortunately, this software often is things you don’t have control over like frameworks, web servers, operating systems, and sometimes even hardware.
The aim of a Web Application Firewall (WAF), is to ensure that your web application is kept safe even if there are coding mistakes in it or in any of the underlying systems or frameworks it runs on top of.
A WAF, given the correct setup of rules, could for example protect your web application against unknown threats, so called Zero Days. One example is the Command Injection exploit that was released for Apache Struts which allowed an attacker to simply modify the Content-Type header, in order to gain direct access to the server, which would have allowed the user to steal data and move further into the network. By utilizing a WAF, customers were able to protect themselves against the attack even before a patch was available. This was possible because the intelligence built into it could recognize that a Command Injection was attempted and thus block it.
In another layer, you would have your Web Server which your web application runs on top of. Vulnerabilities occurs on it from time to time, and sometimes they will not get patched. One example is CVE-2017-7269 which had a known exploit available, but Microsoft said they wouldn’t patch. In this case, a WAF would be able to assist you.
As you can see, it’s not only your own web application that is a target here, it’s your entire environment. So, even though there is never a silver bullet when it comes to IT-Security, you should always work to keep your code as well-written as possible to avoid potential breaches. Moreover, a WAF is one of the most important aspects when it comes to your ability to defend your web application against data breaches.