11

I understand Web Application Layer Firewall (WAF) uses an SSL cert to decrypt and inspect the traffic before passing to the backend server. If an attacker could gain admin access to both the WAF application and the host server, is there any way they could view the sensitive information such as login credentials which would be present in the body of an HTTP request?

Anders
  • 64,406
  • 24
  • 178
  • 215
sxmad
  • 115
  • 5
  • 4
    If attacker compromises the host, the WAF doesn't matter and needn't even exist; the host always has the plaintext. In practice web-host compromises seem to occur many thousands of times more than WAF compromises. – dave_thompson_085 Nov 02 '21 at 03:11

1 Answers1

14

Yes, the configuration is as follows:

[client web browser] <--TLS--> [WAF] <--TLS--> [origin web server]

So, the WAF essentially has a 'man in the middle' (MITM) position between the client web browser and the origin web server. Therefore, the scenario that you describe is entirely possible.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Thank you. Are there any requirements for this to be possible? Someone suggested that a private key is required to decrypt. I'm worried that WAF might temporarily store the decrypted traffic in clear text for inspection during which an attacker could access them. – sxmad Nov 01 '21 at 19:56
  • 9
    The WAF must have the private key that corresponds with the public key in the certificate that it presents to the user's browser. Otherwise, the WAF would not be able to inspect the plaintext requests from the browser, in order to do its job. Hopefully, this private key is well protected (e.g. stored in a HSM). But, notwithstanding, the WAF sees the plaintext, so if the WAF is compromised by an attacker, this attacker could see the plaintext as well. – mti2935 Nov 01 '21 at 19:59
  • 4
    @sxmad WAF systems generally have extensive logging facilities. Logs (in some cases including all of the information exchanged, sensitive parts logged indiscriminately) are generally guarded less than the private key. You just need to compromise the log storage. – fraxinus Nov 02 '21 at 09:26
  • Thanks @mti2935 and fraxinus. This is helpful. – sxmad Nov 05 '21 at 19:54