Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Coraza Web Application Firewall

Coraza Web Application Firewall

José Carlos Chávez

October 30, 2023
Tweet

More Decks by José Carlos Chávez

Other Decks in Programming

Transcript

  1. OWASP CORAZA WEB APPLICATION FIREWALL José Carlos Chávez Software Engineer

    @ Tetrate • Peruvian • Open source enthusiast • OWASP Coraza WAF Co-leader • Zipkin core member • Loving father @jcchavezs
  2. OWASP CORAZA WEB APPLICATION FIREWALL Traditionally a WAF: • Helps

    to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. • Protects web applications from malicious traffic such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others. • It is a protocol layer 7 defense (in the OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. @jcchavezs
  3. OWASP CORAZA WEB APPLICATION FIREWALL WAF Features: 1. IP Fencing:

    Deny specific IP through a denylist. 2. Geo Fencing and Geo Blocking: Creates a virtual perimeter around a specific geographical area using GeoIP databases. 3. Request/Response inspection: Examines request/response elements matching them with known malicious values to distinguish between legitimate and malicious requests. Avoids zero-day attacks, client-side attacks, bot attacks, virus files, etc. @jcchavezs
  4. OWASP CORAZA WEB APPLICATION FIREWALL 4. Security Rules: ◦ SQL

    Injection ◦ XSS Attacks ◦ Local and Remote File Inclusion 5. Anomaly scoring: If a rule matches, WAF applies a score for each deviation: ◦ A simple deviation like a misspelled URL might only receive a low score. ◦ A more serious one, e.g. an attempt to inject SQL code, receives a higher score. @jcchavezs ◦ Size Restrictions ◦ Command Injection ◦ Unknown Bad Inputs
  5. OWASP CORAZA WEB APPLICATION FIREWALL 6. DDoS Rate Limiting: Restricts

    the number of requests that a particular IP address can send to a server within a given timeframe. The rate limit is typically set based on a predetermined threshold that is considered safe for normal traffic, and any requests that exceed this limit are blocked. 7. Bot Mitigation: Analyzes cookies sent by the browser and check them to the databases of known bot cookies. Some examples: ◦ CAPTCHA challenges ◦ Bot Pretender ◦ Web Scraping Protection ◦ Bot Intelligence @jcchavezs
  6. OWASP CORAZA WEB APPLICATION FIREWALL There was a time when

    security was easy. “I need more security – I will just buy another firewall” @jcchavezs
  7. OWASP CORAZA WEB APPLICATION FIREWALL • There is no single,

    easily identifiable perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. • In the times of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. • Gateways have to carry knowledge about the upstream components which ends up in adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc. • The guiding principle of perimeter security is "Trust but Verify" @jcchavezs
  8. OWASP CORAZA WEB APPLICATION FIREWALL Zero trust (ZT) is the

    term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs
  9. OWASP CORAZA WEB APPLICATION FIREWALL Zero Trust Tenets (7) that

    benefit from a Web Application Firewall: 5. Integrity and Security Posture • Every resource request should trigger a security posture evaluation. • When identify an attack, apply network patches and vulnerability remediations. 7. Collect info on current state of communications • Continuous monitoring the audit logs from traffic and improve the security posture. @jcchavezs
  10. OWASP CORAZA WEB APPLICATION FIREWALL What is Coraza WAF? •

    An open source Web Application Firewall • Written in Go • Inspired in Modsecurity (EOL July 2024), supports seclang • Focused on OWASP Coreruleset v4: Newest and shiniest CRS • Version 3.0 allowed the Production Flagship from OWASP. @jcchavezs
  11. Different in the inside: • Actions are programmatically assigned, and

    they will run on demand. • Coraza caches transformation outputs to avoid repeating the same transformation multiple times in a single transaction. • Rules are immutable: Multiple transactions can consume the same rules with no risk of side effects. • Focused on performance and high throughput. OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs
  12. Different on the outside: • Plugins: Actions, Transformations, Operators, Audit

    Loggers, and Body Processors can be extended with an experimental API. • Response Body Processing is available. • The URL path is a variable allowing route like protection. • Multiplatform connectors: ◦ Native Go, Caddy, haproxy, Traefik (WIP) ◦ Envoy, Istio, Kong and APISIX using proxy-wasm spec ◦ Fully compatible with Webassembly OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs
  13. On Webassembly: • Allows to run Coraza in very varied

    stacks through a Wasm runtime e.g. Native Go, Envoy (C++) and Coraza Playground (Browser) • Leverages Coraza as part of the Policy Enforcement Point (PEP) in Zero Trust deployments, specifically in sidecars in the Service Mesh based systems. • Allows to choose libraries on different languages based on its performance (polyglot Wasm). • Promotes portability and distribution of Coraza as a wide organization policy without requiring application changes. OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs
  14. What is next? • Version 3.1 • Directives API •

    coraza-http-wasm • Lazy load for regexes • More regex support for variables (e.g. SecResponseBodyMimeType and ctl) • Yet more connectors OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs