WebApplicationFirewall

Purpose

The purpose of the WebApplicaitonFirewall (WAF) is to mitigate vulnerabilities without the need to alter the source code of the WebApplicaiton. A WAF consists of both hardware and software that enables the functionality. In summary, the WAF is to prevent attacks on the WebApplication.

Object

Connection

Description

WebApplication

Firewall Execution

The WebApplication protected by the WebApplicationFirewall.

The WebApplicationFirewall has one relation and that is a connection to the WebApplication.

Attack Steps and Defenses

Attack Step

Description

None

There are no attack steps associated with the WebApplicationFirewall object.

Defense

Description

Impact

Default

BlackBoxTuned

Black box testing denotes the process of automated testing through scanners or fuzzers without access to the source code. Which should decrease the number of false positives as well as false negatives and detect manipulatable parameters. This defense denotes whether or not the firewall is tuned using black box testing.

Reduces the risk of BypassWAF.

On

Enabled

Denotes if the WebApplicationFirewall is active or not

Reduces the risk of all BypassWAF attack steps

On

ExpertTuned

This defense denotes whether or not the firewall has been tuned by an individual with significant experience in the field. An experienced tuner has a better understanding of the threats and how to mitigate them, thus; making the firewall more effective.

Reduces the risk of BypassWAF.

Off

Monitored

Denotes whether or not there is an experienced operator monitoring the Web Application Firewall. This should make it more difficult to perform successful brute-force attacks, as these are detected by the operator.

Reduces the risk of BypassWAF.

Off

TuningEffort

Considerable effort has to be spent to properly tune the firewall to get the expected detection and prevention capabilities. Furthermore, effort needs to be spent to ensure that the firewall is effective during its lifetime.

Reduces the risk of BypassWAF.

Off


What’s Next