February 26, 2019 by Luka Šikić
We have put a lot of time and research into expanding our web application firewall engine and its functionality. We mapped what was missing with the current solutions on the market and deep-dived into the HTTP protocol.
The released version of our new web application firewall engine is an important milestone in becoming an industry leader in web application component security risk mitigation.
There are a few settings to consider before writing your own match rules. The main difference is whether a rule is for
whitelist or not. In case of a whitelist rule, matched elements will skip web application firewall rules from processing request and allow access to the website. In case of a firewall (blacklist) rule, you have the ability to choose from LOG, BLOCK or REDIRECT actions.
We also provide the ability to match on defined request method. Currently available options are
The most simple form of matching. It will seek for a match on request URI, such
HTTP headers allow the client and the server to pass additional information with the request or the response. You can read more about HTTP Headers here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
Matches on all HTTP headers separated by new line.
Collection of all header keys, for example
Content-Type, User-Agent, Accepts, Cookie, Host etc. It can be used to check if certain header exists or contains in request or not. The rule is being checked against each key name separately and match is considered if one of the keys matches provided rule.
Collection of all header values in the request, for example:
application/json, user's user agent, cookie etc. It can be used to block requests coming from web bots based on their
User-Agent. The rule is being checked against each value separately and a match is considered if one of the values matches provided rule.
Key and value
Collection of headers and values, example:
Content-Type: application/json. It can be used for more precise matching to make sure that both key and value matches. The rule is being checked against each element separately and a match is considered if one of the elements matches provided rule.
Matches on all HTTP parameters or body (depends on the rule request method defined). For example, if you request
/?author=somebody&posts=latest – the rule will attempt to match on the whole body (
Collection of all body/parameter keys, for example, if you request
posts are the keys. The rule is being checked against each key separately and a match is considered if one of the keys matches provided rule.
Collection of all body/parameter values, for example, if you request
latest are the keys. The rule is being checked against each value separately and a match is considered if one of the values matches provided rule.
Key and Value
Collection of all body/parameter keys and values, for example, if you request
Match on IP address accepts single IP (127.0.0.1), CIDR notation (127.0.0.1/24), IP range (127.0.0.1-127.0.0.200) and IP with wildcard (127.0.0.*)
With the latest update, you can create your own web application firewall rules to whitelist, block, log and redirect HTTP/S requests. Single firewall rule can match regular expression on HTTP request headers, body, URI and IP addresses. For testing firewall regex rules, you can test them at regex101.com with PCRE (PHP) flavor.
Let’s say we have a login page on
/wp-admin URI and we want to block a request which tries to access on that page. It can be blocked by single regex rule:
Considering you already created
Block /wp-admin rule from the previous example, we want to allow certain IP addresses to access
Very often, web scraping bots are collecting information or searching for vulnerable web application components. Some of them can be identified with specific User-Agent (Python-urllib/2.7) which we can use to block them.
/(User-Agent:( +?| ?)Python-urllib\/2.7)/iwith /i flag which will make rule case-insensitive.
By default, WordPress leaves ?author= GET parameter accessible and if you enter an ID of some user you will be redirected to /author/. An attacker could automatically probe IDs and collect all users on the WordPress installation.
We could simply prevent that by blocking GET /?author=<> request.
Body Key and Valueinput enter following regex:
/(author=[0-9]+)/iwhich will match author GET parameter if one or more numeric characters are passed.
Firewall module is basically a group of both firewall and whitelist rules. For creating a web application firewall module, you need to have at least 1 rule. Module can be assigned to one or more websites and all rules from that module will automatically be attached to a website.
Modules can be created at Firewall Rules Management.
If you wish to assign module to a single website, open that website from dashboard and under
Firewall Rules you can attach single rules or/and modules.
If you wish to assign module to more websites at once, consider creating a website group; for example for all your WordPress websites.
For more technical webmasters, the new web application firewall engine will introduce a huge amount of opportunities, which for CMS users (such as WordPress) removes the need to use security plugins for specific hardening options.
Over the upcoming months, you will start seeing more and more modules added by us to the firewall library.