AWS/Cloud Services: White Paper on WAF Mitigation of OWASP's Top 10 Web Application Vulnerabilities

Start Here

Get in touch with a
TriCore Solutions specialist

Blog | Sep 8, 2017

AWS/Cloud Services: WAF Mitigation of Web Application Vulnerabilities

You may think you know about AWS/ Cloud Services but this post will test that theory. Read on for 7 things everyone should know about the tips from the AWS/Cloud Services White Paper (issued July 2017) on using the web application firewall (WAF) to mitigate security flaws.

What is AWS' WAF? WAF is a AWS web application firewall that users will find of practical value in protecting websites and applications from attacks at the HTTP protocol level. AWS developed the White Paper to explain how organizations can adapt the WAF in response to the Open Web Application Security Project's (OWASP) top ten web application vulnerabilities.

Firewall 2.png

How does WAF help protect against application vulnerabilities? WAF provides IT staff the ability to write server rules that match patterns they observe in the HTTP/S requests by unauthorized hackers. The rules block the matching HTTP/S requests from ever reaching the organization's server. Of course, IT can also block specific attacks against its server.

How does WAF work its magic? When hackers try to breach a network, they often take advantage of system vulnerabilities. Analysis often shows a pattern to such HTTP requests. WAF works with Amazon's global content delivery network (CDN) service called Amazon CloudFront and with Amazon's Elastic Load Balancing service. These two tools help IT analyze incoming HTTP requests, apply the rules IT develops in response to the pattern of requests, and then proactively intervene against the hacker requests that IT matches against its rules.

What are the Top 10 Vulnerabilities? In April 2017, OWASP issued a revised list for the Top 10 security issues. You will find the list similar to the 2013 list, except that 4, 7, and 10 are new:

  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Broken Access Control (Combines 2013 items "Insecure Direct Object References" and "Missing Function Level Access Controls")
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Insufficient Attack Protection
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Underprotected APIs (replaces 2013's "Unvalidated Redirects and Forwards")

A review of how each of the Top 10 vulnerabilities works with WAF is outside the scope of this post. We can, however, take a closer look at just a couple of these vulnerabilities to see how AWS WAF can help stymie an intrusion.

SQL Injection.pngInjection flaws. The most common injection flaws occur with SQL injections. When an organization does not sanitize its SQL data input properly and a hacker enters SQL statement values directly, the SQL database query tool will execute the malicious query as long as the SQL statement contains SQL syntax. The good news is that, in general, WAF incorporated the ability to match and mitigate SQL attacks. Complex variants, however, may require IT to fix at the application level rather than the HTTP level.

Broken Authentication and Session management. 
It's very hard to tell a legitimate HTTP request from a hacker's request when the cyber criminal steals authentication, sessions, or tokens. Once your system's security system notices a stolen token, however, IT can blacklist the stolen token as part of WAF's rules. The rule will block all further uses of the token until it expires or block it permanently. One way to accomplish security through WAF is to note where the token's owner usually accesses the system. Then, if someone uses the token at a different location, or from a different device, IT can blacklist the token.

Broken Access Control. This type of security flaw occurs when there are no restrictions (or the system does not enforce restrictions) on the things the network allows authorized users to do. The flaw allows hackers access to internal applications without properly vetting the user's access permissions. This can lead to data exposure, or file intrusion among other things.

Using WAF in this category of flaws is difficult but possible if the malicious HTTP request includes a signature that legitimate requests do not have. IT can then write a rule to expose that signature and match them when they occur. 

To learn more about the ways WAF can help mitigate malicious access to a network, read the full AWS White Paper.

The AWS/Cloud White Paper includes a template designed to help organizations get started writing their own "production-ready" and thorough rules.

Navigating the cloud world is tricky. Discover the key considerations to lead your company through digital transformation in our IT trends survey report.

Get the Report Today