Only to learn if you have a better exchange of ideas can be shared with, I want to learn together into Home
First WAF (Web Application Firewall), commonly known as Web application firewall, the main purpose is actually used to filter abnormal or malicious request packet to the server and marked with a temporary patch role.
1, cloud waf:
When configuring the cloud waf (typically included waf CDN), the CDN to the need to parse the DNS ip up, at the request URI, the packet will go through the cloud waf detected, if by then the packet stream to the host. Common products: Ali cloud protection, Tencent cloud protection, Year-cloud and so on.
2, the host software:
In this pre-installed on the host computer protection software, and monitor whether a malicious web traffic port, so that a more comprehensive functional sense. Here then plug a mouth, mod_security, ngx-lua-waf waf Although this type of open looks good, but there is a weakness that cost upgrade will be higher. Typical products: cloud lock, safe dog products.
3, hardware WAF:
Hardware WAF can be understood as flow agents, generally require deployment flow through it, unpack for packet -> Cleaning -> Rules Hit -> release / discard, of course, now even worse, to the WAF on a head, depth-learning, semantic analysis and other operations to reduce their monotonous because WAF rule may cause problems to be bypassed. Typical products: each product iron box waf
Why WAF can be bypassed
-
Business and security there is a certain conflict.
-
WAF can not be 100% coverage characteristic language, middleware, database.
-
WAF itself vulnerabilities.
1, the characteristics of Web container
Special percent sign
In IIS + ASP environment, the value for the parameter in the URL request %, and if the character string consisting of characters back in URL encoding table will ignore it is outside, ASP script processing.
However, after the packet will take waf url such as: id = 1 union all se% lect 1,2,3,4 fro% m adm% in this case because waf % separated, can not be detected keyword SELECT from the like.
However, due to the nature of IIS, the last time resolved on the server, the above mentioned id actual parameters acquired becomes 1 union all select 1,2,3,4 from admin, thereby bypassing the waf.
Keep in mind that this asp + iis feature is only valid for asp
2, Web application layer problem
Encoding bypass
Will work for once decoding encoded data transmitted by a general packet with WAF, if WAF-restore attack can not be effectively decoded vector, may lead to bypass, the common encoding URL encoding, Unicode encoding (the IIS), byte wide coding. For example, we use url secondary coded, and after a url after decoding, WAF may not recognize that it is malicious data, to be released when the malicious data to a Web server, Web server will decode once again, leading to a WAF result bypassed.
3, WAF own problems
Whitelist mechanism
WAF exists some mechanism intercepts the request and does not process the data in the white list:
1, the data specified IP or IP segments.
2, access to data from the search engine crawlers.
3, the data of other features.