Site protection against hacker attacks - Nemesida Web Application Firewall

Almost every website on the Internet was attacked by hackers. Most of the attacks ended successfully - the attackers were able to compromise a web application, gain access to a server or database. In this article I will talk about the mechanism of protecting sites from hacker attacks - Nemesida WAF .

The presence in the free access of a large number of tools for carrying out attacks on web applications, manuals and video demonstrations of attacks, as well as the apparent impunity for their actions gives a modern picture of the “wild Internet” - many try to try their hand at “hacking” sites using other people's resources as training sites, means of increasing self-esteem or monetization.

There are also quite a few people who have turned the site into a fairly profitable, but illegal business. These can be as targeted attack sites, for extracting information for sale or to order, or inappropriate, when sites break based on the presence of one or two vulnerabilities on a massive scale (for example, after the appearance of the so-called 0 day exploits).
')
Information about the fact that a particular component is vulnerable usually comes to the site after hacking — the attackers are one step ahead for a number of reasons:

• track bugtraq tape for vulnerabilities;
• visit resources related to web security;
• share or exchange private information about vulnerabilities;
• conduct their own research on the study of application code to identify vulnerabilities.

Attackers also have a “window of opportunity for hacking” - the time from the publication of a vulnerability to the correction by developers and the introduction of a patch on a web application. For example, a vulnerability in the Apache Struts2 component allowed attackers to compromise many sites. Even with a patch, it is not always possible to instantly deploy it on “combat servers”.

In all cases, an additional measure of protection is necessary in order to block the possibility of attackers to exploit vulnerabilities, including zero-day.

Vulnerabilities

If we take the world statistics of frequently used CMS, the order will be as follows:

• WordPress;
• Joomla !;
• Magento;
• Drupal
• vBulletin;
• ModX.

If we take the statistics of vulnerabilities, we see that the vulnerabilities in these CMS or their components are found every week, moreover, the critical vulnerabilities of the CMS themselves are detected approximately once every 2-3 months.

An example of recent vulnerabilities:

• 01/30/17 Three vulnerabilities have been patched in WordPress, including cross-site scripting and SQL injection capabilities. Release 4.7.2
• 10/31/16 In Joomla, starting with version 3.4.4 and ending with version 3.6.3, a critical vulnerability has been discovered that allows to bypass the ban on registering users on the site and increase the access group of registered users.
• 01/26/17 Magento eliminates 20 vulnerabilities, including critical ones.

Even the presence of modern "protected" frameworks, a lot of recommendations for creating secure code can not protect against errors.

Web Application Firewall

Web Application Firewall is an application-level firewall designed to detect and block modern attacks on web applications, including using zero-day vulnerabilities. Such a defense mechanism allows blocking attacks of the OWASP TOP 10 category, their combination and combination.

If for desktop and server systems, the use of protective software (antivirus, firewall, etc.) is considered to be good practice, then for web applications this picture is not observed at all. Only recently there has been a tendency to introduce such protective means, for example, specifying in version 3.2 of PCI DSS:

PCI DSS compliance: Web application firewalls (WAFs)
Web application firewalls (WAFs) are one option for those seeking compliance with 6.6 of the PCI DSS.

How do Web Application Firewall tools allow you to detect and block attacks?
First of all, this is an approach to designing protective equipment: from creating a mathematical model of a threat to testing methods for circumventing protective equipment in the presence of a particular vulnerability.

Threat analysis is also important: combined methods of detecting attacks based on signatures and machine learning (identifying the user's illegitimate actions that distinguish him from the legitimate visitors of the site).

Systematic update of the signature database

The base of signatures is so protective tools aggregated from several sources. For example, the following sources are used for Nemesida WAF :

• attacks on protected web applications of clients with general traffic: 300-800 Mbps;
• Pentestit infrastructure attacks;
• attacks on specialized penetration testing laboratories “Test lab” with “clean” attack traffic up to 30 Mbps;
• own research;
• specialized resources and security mailings; research studies;
• The base of attacks on web applications of the Pentestit security analysis department (in 8 out of 10 cases of site security audits, vulnerabilities with a “critical” status were detected);
• as well as machine learning, allowing to detect abnormalities in the behavior of users of the site.

Learn more about Nemesida WAF