How AppTrana WAF prevents Command Injection Bypass
Rated #1?on Gartner Peer Insights with a 100% customer recommendation,?Indusface WAF (Web Application Firewall)?provides comprehensive, always-on, tailored?security to?applications and APIs.?Being a next-gen WAF with advanced features, it keeps the application always available to legitimate users, enabling organizations and their teams to focus on what matters the most – the core business.
While WAF is leveraged by organizations to protect their applications, the number of bypasses orchestrated by attackers is growing globally. With the unearthing of vulnerabilities in security solutions that enable web app firewalls to be bypassed through command injection, what you may be wondering is if Indusface WAF is fully secure Is it possible for attackers to gain access to mission critical resources by bypassing this advanced?web app firewall?using?such?injections??Read on to find out.
Command Injections: An Overview
Typically,?an application executes predefined commands?to return?output to the user.?But, in some cases,?the application?may run?arbitrary commands?as specified by attackers?on the host operating system?and return output to the attackers.?Command injection attacks?are executed by leveraging the same privileges as the vulnerable application.?It leads to server compromise?and?gives greater control of the target system to attackers.
Command injections?are also referred to as OS Command Injection, Shell Command Injection, Shell Injection, and OS Injection. Here, there is no need for attackers to inject malicious code as the vulnerable application extends its default functionality to pass commands to the system shell. This is how they are different from Code Injections.
The Causes?
When the application accepts un-sanitized and unvalidated user inputs such as forms, cookies, HTTP headers, etc., there is a greater possibility of command injection. The presence of unpatched vulnerabilities in the application and/or the firewall itself allow attackers to bypass the WAF and reach the protected website.
How are Command Injections Used to Bypass Web App Firewalls??
WAF bypass is leveraged by pen-testers and attackers to gain access to and control of the target systems. While pen-testing helps organizations to test the strength of the application firewall, the same cannot be said about hackers
Through reconnaissance, attackers/ pen-testers detect and fingerprint WAF used on their target website/ web application. Typically, they are done using readily available tools and manual probes, they identify key information about the WAF such – does it reveal itself? Does it use blacklisting, whitelisting, or hybrid models? They snoop for the existence of vulnerabilities and flaws in the application or the web app firewall itself.
Using?this?information,?attackers manipulate commands to bypass the web firewall.?In one of the recent?bypasses,?empty shells such as?${something} and?${thisdoesnotexist} were used?to bypass?a firewall product?using command injection.?Another?variation?leverages?the rev command to bypass the?firewall.
领英推荐
Indusface WAF?
An Overview?
Augmented with Global Threat Intelligence, security analytics, and thorough documentation, this next-gen WAF takes a risk-based approach to continuously detect risks through intelligent security scans and manual pen-testing. It instantly patches vulnerabilities found through the?VM process?until they are fixed by developers.
Through close traffic monitoring and analysis (behavior, pattern, and signatures), it intelligently decides whether to allow, block, challenge, or flag requests. It is effective against known and emerging threats in the fast-evolving threat landscape including SQLi, XSS, DDoS, and so on. Indusface WAF offers automated WAF bypass as a disaster recovery mechanism that can be used by customers to isolate if the issue is with WAF or application quickly. This is widely used by customers during major deployments and debugging.
Being a managed web application firewall, it is custom-built with surgical accuracy by certified experts to accommodate the needs and the context of the?application. WAF rules are regularly tuned to minimize risks facing the application. The Indusface WAF offers 360-degree visibility, assures zero false positives, improves website?performance,?and ensures zero downtime.
Indusface WAF Mitigates Command Injection-led Bypasses
Pen-testers and white-hat hackers who found bypasses in the recent past believe that the command injection led WAF bypasses are applicable to other web application firewalls too, apart from the ones that were tested/ attacked.
Cognizant of this, Indusface?WAF?has taken?measures to ensure such bypasses are prevented by not just custom-building the WAF but allowing clients to customize rulesets to prevent bypasses that aren’t blocked by default. Other ways in which command injection-led bypasses?are?prevented?includes:
Conclusion?
A WAF is no longer a silver bullet capable of eliminating the possibilities of attacks altogether, especially given the fast-paced digital transformation, technological advances, rapidly evolving threat landscape, and ever-expanding attack surface. However, next-gen security products such as the?Indusface WAF?keep evolving and augmenting their capabilities?to keep providing tailored and comprehensive solutions?that?harden the organization’s security posture.
Originally published on?Indusface.