Have the WAF security companies got you thinking that a firewall is enough? In a modern landscape, development and security move faster, and so do web application vulnerabilities. Unfortunately, WAF doesn’t prevent many of these events, and hackers of all hats have known ways of bypassing WAF to exploit common and creative web vulnerabilities.
Recently Tom Hudson, Security Research Team Lead at Detectify, spoke about how you can go beyond WAF security by Continuously Hacking Yourself to better secure your organization with the help of automation. You can watch the full presentation here, and we have highlighted some key points in this blog post with added additional commentary:
WAF’s Got My Back… right?
Web Application Firewalls (WAF) are very common to see in a security toolbox, and they try to block malicious traffic; however, they’re not a silver bullet for web security. A firewall alone isn’t enough to stop attacks like Server-Side Request Forgery and exploiting misconfigurations. In the current age of the Internet, companies are essentially perimeterless and curious minds may be sending payloads to see is anything interesting happens.
Are these payloads malicious? Should they be blocked?
- <img src=x onerror=alert(1)>
- ‘OR ‘1’=’1
Without context, a WAF cannot determine if it should be allowed or not, which is why it shouldn’t be the only tool in your security toolbox. Hackers know this information and often find ways to show how WAF can be bypassed to execute standard OWASP Top 10 vulnerabilities like XSS.
So what can analyze payloads in a continuous, controlled, and harmless state?
Scanners Gonna Scan
Now that everything “is an app,” the potential attack surface for digital organizations has increased with more area to protect that need more than a WAF. There are many DAST options on the market, or you can even build your own automated testing; however, they still face the issue of cutting through the noise and knowing what to scan for. According to NIST, 1572 Common Vulnerabilities and Exposures were released in October 2020. Some of these are reported without a known Proof-of-concept (PoC), which means there’s no public knowledge whether it can actually be exploited in a damaging attack or not, nor clues on how to fix it.
Signatures vs. Payloads
Many scanners are based on signature testing, where they look for software versions, file paths, and other identifying factors. However, the signature test does not actively exploit the vulnerability to verify if it’s a real risk and likely increases false positives.
If you build your own testing, we recommend making tests with payloads where you can actually run code and test if something can be exploited or not. That’s right, we recommend developing tests to simulate hacks where you essentially hack yourself.
Payloads aren’t just for hackers, and there are ways you can develop these in a safe way that will not take down your system, just like how the Detectify Security Research team develops a curated testbed of 2000+ widespread vulnerabilities.
Trusting ethical hackers to help verify relevant vulnerabilities
Even the security defenders in the largest tech organizations have difficulty managing the increasing scale of security research ongoing in the interwebs. Many of them turn to ethical hackers to help them tackle security research through one of these 3 ways. You may even have hidden hacker talents in your organization, and you could crowdsource knowledge from within by running CTFs and internal bug bounty programs.
Detectify takes help from ethical hackers in our Detectify Crowdsource community of over 250 members dedicated to collaborating on security knowledge to secure all the web application things. They play a pivotal part in helping our Security Research team curate the latest expert security knowledge and develop leading vulnerability testing.
How to Continuously Hack Yourself
But maybe you like to do things the hard way and build your own security tests, so then you better go hack yourself with your own payload-based testing! Here are the best practices from Detectify’s security research team for developing automated security tests that are reliable, safe, and impactful:
- Show how you would activate the payload
- Automated in a safe and controlled way
- Relevant for widespread impact
Show how you would activate the payload
To verify whether something is an imminent threat to software vendors, the Detectify Search Research team requires Crowdsource hackers to produce a proof of concept or the actual payload they executed to exploit a vulnerability. CVEs and other known vulnerabilities can exist and still not be exploitable. Using this approach, the security test will only look for verified security risks capable of doing damage and hopefully reducing false positives.
Each vulnerability is exploited with various payload possibilities, which automation would never devise on its own. It means that even if you patched a security vulnerability last week, a new attack method discovered for it could also mean that the exposure is valid again. Having multiple eyes looking at the same software can bring about new payloads periodically.
Automated and in a safe and controlled way
Being modular with security test development makes it easier to modify and remove things and track performance. The exploit information is crowdsourced from our community of ethical hackers, but we build all the modules in-house. They need to be easily automated for consistent and reliable results, and we need to make sure the payloads are replicable and will not harm or take things offline. If you’re building your own modules, check that they do not:
- DoS users
- …or delete data!
- require TOO many requests
Relevant for widespread impact
If you open up your platform to vulnerability reporting, you will see a mixed bag of bugs reported. We get more than 100 submissions per month from our Crowdsource Researchers. Naturally, we have to filter out what is cool but not relevant (like a bug in Notepad) to a bit rudimentary but impactful (a bug in Apache).
More minds are (most times) better than one, and with security research, it’s no different. Sometimes a vulnerability is announced, but there’s no PoC. With the power of the crowd, Detectify can reach out to the Crowdsource community to get that information within hours of an announcement like the case of the CVE-2019-11510 Pulse Secure SSL VPN File Disclosure and CVE-2018-13379: Fortinet VPN Path Traversal.
So how do you keep it relevant? Share technology information by setting scope. Crowdsource hackers get a view of technology instances in our user bases on an aggregated level. This helps them focus and stay in scope with what Detectify is interested in receiving.
By the way, you may get a zero-day or two
In 2020, the number of Zero-days reported by Crowdsource continue increasing and allows Detectify to protect customers before anyone else. We have a set process to handle zero-days, and we recommend having one in place to prepare for those kinds of reports. This requires sensitivity and collaboration with app owners and hackers to build a patch and reliable test before disclosure. This prevents putting more organizations at risk.
Now you’re ready to go hack yourself
In the modern tech landscape, solely relying on WAF in the security toolkit to defend your online activities and applications is not enough. Hackers know the tricks around bypassing these, and if you’re lucky, some of them will disclose this to you with good intentions.
Innovation in the automated security space will need to keep up with the high rate of vulnerability disclosure and keep down the noise to let security defenders prioritize the most relevant information. It’s possible to build this kind of security automation on your own, and for reliable results, your best bet is to run payload-based exploit testing so you can try to hack yourself before someone else day.
However, if you’re strapped on resources and knowledge or just looking for experts to lean on, you can turn to Detectify for reliable and continuous hacker-approved security testing. It’s easy to sign up and give Detectify a try with a 2-week trial today. Go hack yourself.