Shulou(Shulou.com)06/01 Report--

The content of this article introduces some basic concepts of WAF in detail. WAF is designed to maintain the operation of Web programs. The purpose of our scientific research around WAF is to help security staff master the detection methods in penetration testing, and the second is to show some security proposals to safety machinery and equipment manufacturers to immediately repair the security problems existing in WAF, so as to improve the completeness and anti-attack ability of WAF. Third, expect website developers to figure out that deployment of WAF is not carefree. To find out the direct cause of system vulnerabilities, it is best to fix them in terms of code.

I. definition of WAF

WAF (website web Application Server Firewall) is a security protection product that specializes in Web application protection according to a series of security policies for HTTP/HTTPS. In terms of popularity, it means that certain testing standards are integrated into WAF products, which will test the content of each request according to the converted standards and make matching defense solutions to those that do not comply with the safety standards, so as to ensure the security and reasonableness of Web application.

Second, the principle of WAF

The solution steps of WAF can be divided into four parts: preparation processing, standard testing, solution control module, system log recording.

1. Preparatory treatment

The preparatory processing step is the first to distinguish whether it is a HTTP/HTTPS request when receiving the total traffic of the data information request, and then query whether the URL request is within the permission. If the URL request is in the permission directory, immediately submit it to the back-end development Web server to respond to the solution. For those who do not have the permission to analyze the data files, go to the standard inspection part.

two。 Standard inspection

Each WAF product often has its own unique inspection standard management system, and the analyzed data files will go into the inspection management system to carry out standard matching to check whether the data information request is up to the standard, and to distinguish intentional aggressive behavior.

3. Solution control module

For different test results, the solution control module will make a different posture of security and defense force. If it meets the standard, it will be handed over to the back-end development Web server to respond to the solution. For requests that do not meet the standard, the relevant blocking, recording and alarm solutions will be implemented.

Different WAF products will customize different blocking content pages, in the daily work security penetration, we can also identify which WAF products are used by the website according to different blocking web pages, and then carry out targeted WAF bypass.

4. System log record

WAF will also write down the system logs that block the resolution during the whole process of resolution, so that customers can view the logs for in-depth analysis afterwards.

III. Classification of WAF

1. Soft WAF

The whole process of software WAF firewall installation is very simple, it can be installed with one click, and it must be installed on the web server that needs security protection, and the protective effect can be started in the form of software, which means products such as SINESAFE, D shield, etc.

two。 Hard WAF

The price of hardware configuration WAF is generally more expensive, so it is suitable for a variety of methods to deploy to the front-end development of Web server to distinguish the abnormal total traffic from the outside and carry out blocking to show security protection for the application of Web. It means that the products are: Imperva, Tianqing WAG and so on.

3. Cloud WAF

The maintenance cost of Cloud WAF is low, and there is no need to deploy all hardware configuration machines and equipment. The blocking standard of Cloud WAF will be updated automatically. For websites where cloud WAF is deployed, the data information requests we send out will first go through the standard test of the cloud WAF connection point. If the requests are paired to the WAF blocking standard, they will be blocked and resolved by WAF, and all normal and secure requests will be shared to the real Web server for response. It means that products include: Ali Cloud Server Cloud Shield, Tencent Cloud service WAF and so on.

4. Custom WAF

In the normal penetration testing, in a large number of cases, we can encounter the security protection standards written by the website developers themselves. Website developers will enhance some security protection codes in areas where they will be attacked, such as sensitive blanks, numbering and escaping of potential threats, etc. If you have penetration testing needs, you can find professional website security companies to deal with them. Domestic companies such as SINESAFE, Eagle Shield Security, Qiming Star, Mountain and Stone Technology, Green Alliance are all more professional.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.