4

I read this page: Category:OWASP Best Practices: Use of Web Application Firewalls, and I found that WAF cannot generally detect logical attacks.

We know each web application has a number of input parameters. I think these input parameters and their associated valid values can be possibly extracted by code analysis tool.

Now, my question is that can we use code analysis tools and pass their results to the WAF to detect some logical attacks such as an example which has been described in this page: Logical and Technical Vulnerabilities?

Besides, I would like to know what are the advantages of using code analysis with WAF?

I googled and I couldn't find any WAF which uses code analysis for generating its rules or increasing its performance and decreasing false positives.

Eric G
  • 9,691
  • 4
  • 31
  • 58
Patris
  • 67
  • 1
  • 1
  • 4
  • In theory, yes, but it would depend on the WAF tool you are using. You could do an analysis of traffic sent or of A/B testing with fuzzing and find logical flow. If the application is unit tested they likely have cases to cover unexpected inputs. It may be possible to write an algorithm that could take these inputs and react based upon logical activity that should never occur. – Eric G Jan 18 '18 at 02:56
  • So you think using code analysis is useless for increasing WAF performance as well as decreasing false positives? @EricG – Patris Jan 20 '18 at 21:06

3 Answers3

0

If you can actually determine the valid input values from static analysis, you can use that to guide proper input validation in your application. However, with that lack of input validation, most static analysis tools would not be able to determine the appropriate answers. Web Application Firewalls are used to defend against the unknown vulnerabilities and common patterns (e.g., XSS and SQLi mostly).

David
  • 15,814
  • 3
  • 48
  • 73
  • So you say that using code analysis is useless for detecting logical attacks like manipulating URLs such as `CSRF`? What is your idea for decreasing false positives? Actually I want to know if using code analysis can decrease false positives, why popular WAFs don't use this method? – Patris Jan 20 '18 at 20:46
0

Modern web application firewalls have the capability to enforce the application logic by studying and training on the valid execution paths of the application and blocking any request which doesn't follow it. For example, suppose an application logic have the following operations in the order below:

  1. Choose item
  2. Perform payment
  3. Receive item

WAFs can enforce that the above three steps are performed in the order as given above. This means that if an attack attempts to performs the following:

  1. Choose item
  2. Receive item

WAF is going to detect that the valid path hasn't been followed and block the request. This require that the WAF is trained on all the valid paths of the application first before enforcing the blockage.

void_in
  • 5,541
  • 1
  • 20
  • 28
  • Can we detect this type of logical attacks just using code analysis without training and learning? If not, I think using code analysis is useless for increasing WAF performance. What about you? – Patris Jan 20 '18 at 21:02
0

No - behavior based tools are not going to identify logic paths as the only information they have is the input coming over the network. You can train them for the best known and what is considered bad input but to identify a logic it will need to understand the entire flow of your application and subsquent systems / domains involved.

The other thing to consider is responsibilities a WAF is not there to protect an application for logic attacks - its there to handle Web Application attacks, to protect your application from logical attacks is the applications responsibility.

McMatty
  • 3,192
  • 1
  • 7
  • 16
  • What about If the WAF uses the results of source code analysis? In this situation, does it able to detect some logical like manipulating URLs such as `CSRF` or changing user's password? – Patris Jan 20 '18 at 20:56
  • CSRF isnt a logical attack - finding a way around a process to avoid payment because of poor logic and validations is an example. Firewalls and static analysis are two very different things - even dynamic analysis is not suited for detecting logical attacks as you would need to understand the rules of a business to determine them. WAF rules can be generated based off vulnerabilities found but these do not include logic attacks as these are application specific and a generic scan does not understand the business purpose of the application. – McMatty Jan 22 '18 at 20:38