web application firewall

WebARX New Web Application Firewall Engine

February 26, 2019 by Luka Šikić

We have put a lot of time and research into expanding our web application firewall engine and its functionality. We mapped what was missing with the current solutions on the market and deep-dived into the HTTP protocol.

The released version of our new web application firewall engine is an important milestone in becoming an industry leader in web application component security risk mitigation.

Freedom to make your own rules

There are a few settings to consider before writing your own match rules. The main difference is whether a rule is for whitelist or not. In case of a whitelist rule, matched elements will skip web application firewall rules from processing request and allow access to the website. In case of a firewall (blacklist) rule, you have the ability to choose from LOG, BLOCK or REDIRECT actions.

  • LOG – Logs request and proceeds with an access to the website.
  • BLOCK – Blocks user from accessing the website.
  • REDIRECT – Redirects user to provided URL.

We also provide the ability to match on defined request method. Currently available options are GET, POST and ALL.

Matching Elements

URI

The most simple form of matching. It will seek for a match on request URI, such as /wp-admin. If a match is found, the previously set action will be triggered (LOG, BLOCK or REDIRECT). You can also set it as a whitelist to bypass web application firewall on specific locations.

HTTP Headers

HTTP headers allow the client and the server to pass additional information with the request or the response. You can read more about HTTP Headers here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

All

Matches on all HTTP headers separated by new line.

Key

Collection of all header keys, for example Content-Type, User-Agent, Accepts, Cookie, Host etc. It can be used to check if certain header exists or contains in request or not. The rule is being checked against each key name separately and match is considered if one of the keys matches provided rule.

Value

Collection of all header values in the request, for example: application/json, user's user agent, cookie etc. It can be used to block requests coming from web bots based on their User-Agent. The rule is being checked against each value separately and a match is considered if one of the values matches provided rule.

Key and value

Collection of headers and values, example: Content-Type: application/json. It can be used for more precise matching to make sure that both key and value matches. The rule is being checked against each element separately and a match is considered if one of the elements matches provided rule.

Body/Parameters

All

Matches on all HTTP parameters or body (depends on the rule request method defined). For example, if you request /?author=somebody&posts=latest – the rule will attempt to match on the whole body (author=somebody&posts=latest)

Keys

Collection of all body/parameter keys, for example, if you request /?author=somebody&posts=latestauthor and posts are the keys. The rule is being checked against each key separately and a match is considered if one of the keys matches provided rule.

Values

Collection of all body/parameter values, for example, if you request /?author=somebody&posts=latestsomebody and latest are the keys. The rule is being checked against each value separately and a match is considered if one of the values matches provided rule.

Key and Value

Collection of all body/parameter keys and values, for example, if you request /?author=somebody&posts=latestauthor=somebody and posts=latest are two elements on which rule is being checked separately and a match is considered if one of the elements matches provided rule.

IP Address

Match on IP address accepts single IP (127.0.0.1), CIDR notation (127.0.0.1/24), IP range (127.0.0.1-127.0.0.200) and IP with wildcard (127.0.0.*)

Start your 14-day free trial now (no payment information asked).

Start for free

What can you do?

With the latest update, you can create your own web application firewall rules to whitelist, block, log and redirect HTTP/S requests. Single firewall rule can match regular expression on HTTP request headers, body, URI and IP addresses. For testing firewall regex rules, you can test them at regex101.com with PCRE (PHP) flavor.

Example 1: Block Access to Admin Page

Let’s say we have a login page on /wp-admin URI and we want to block a request which tries to access on that page. It can be blocked by single regex rule: /(wp-admin)/msi.

  1. Enable Match by request headers
  2. Under URI field put regex rule: (\/wp-admin(\/?))
web application firewall

Example 2: Restrict Admin Page to Known Users

Considering you already created Block /wp-admin rule from the previous example, we want to allow certain IP addresses to access /wp-admin.

  1. Enable Match by request headers and IP address
  2. Tick Whitelist checkbox
  3. Under URI field put regex rule: (\/wp-admin(\/?))
  4. Enter IP address of user who you want to allow access to the /wp-admin
  5. Create rule and assign it to a module or a single site
web application firewall

Example 3: Block Web Scraping Bot Based on User-Agent

Very often, web scraping bots are collecting information or searching for vulnerable web application components. Some of them can be identified with specific User-Agent (Python-urllib/2.7) which we can use to block them.

  1. Enable match by Request Headers
  2. Under key and value header put regex:  /(User-Agent:( +?| ?)Python-urllib\/2.7)/i with /i flag which will make rule case-insensitive.
web application firewall

Example 4: Prevent User Enumeration

By default, WordPress leaves ?author= GET parameter accessible and if you enter an ID of some user you will be redirected to /author/. An attacker could automatically probe IDs and collect all users on the WordPress installation.

We could simply prevent that by blocking GET /?author=<> request.

  1. Enable match by body/parameter
  2. Select match on GET request method
  3. In Body Key and Value input enter following regex: /(author=[0-9]+)/i which will match author GET parameter if one or more numeric characters are passed.
web application firewall

Creating custom web application firewall modules with a set of rules

Firewall module is basically a group of both firewall and whitelist rules. For creating a web application firewall module, you need to have at least 1 rule. Module can be assigned to one or more websites and all rules from that module will automatically be attached to a website.

Modules can be created at Firewall Rules Management.

web application firewall

Assigning web application firewall module to a single website

If you wish to assign module to a single website, open that website from dashboard and under Firewall Rules you can attach single rules or/and modules.

web application firewall

Assigning web application firewall module to multiple websites at once

If you wish to assign module to more websites at once, consider creating a website group; for example for all your WordPress websites.

web application firewall

Infinite potential

For more technical webmasters, the new web application firewall engine will introduce a huge amount of opportunities, which for CMS users (such as WordPress) removes the need to use security plugins for specific hardening options.

Over the upcoming months, you will start seeing more and more modules added by us to the firewall library.

Want to see if someone is trying to hack your website?

Try WebARX for free
website security
web application firewall

Free 14-day trial

Protect your websites from malicious traffic - No credit card required.

Try it free
WebARX is compatible with the following platforms:
PHP
WordPress
Magento
Drupal
Joomla