WAF Virtual Patching

Question: What is WAF virtual patching support of Acunetix? WAF is an internet security technology that helps in detecting and blocking various attacks against websites, e-mail servers, corporate intranet, etc. This is the typical basic feature that client with website vulnerability analysis tool/system and internet access control feature ask for from customer support, ie Virtual patched version of your system or web application firewall (WAF). If you find your system always getting blocked or have weak security settings, Virtual patched service is must to avoid endless attack on your system.

A Virtual Patch is software-based technology, which can be executed both by the user and the browser. When WAF is executed on the browser side, it works as authentic web security program that compares the content of the website against the stored XSite library, and if found matches, then bypass the policy block and allows the access to the resource. When web applications are accessed through a web browser, they are performing a search in the ActiveX controls and based on the results, they get this result and execute the downloaded application aware virtual patch. Such kind of Virtual Patches are much safer than regular application aware virtual patch because regular application aware virtual patches are susceptible to bypass security vulnerabilities, and the application aware Virtual Patches are not vulnerable to bypass vulnerabilities. When the client requests for Service Level Agreement (SLA) for the websites, it will check the application version and request for a virtual machine patch based on the same version. Virtual application aware virtual patches ensure that the security policy is always implemented thus there is no bypassing of policies.

The technology disclosed here is in the form of WAF Virtual Machine Loader (VRML). As a WAF, it performs WAF generation while browsing a web page. The generated code runs within the Virtual Machine, and WAF records the information about the code-execution environment. Virtual Machine implementation relies on Service Level Agreement (SLA) which is a security policy implemented on the client device. In a nutshell, the generated virtual machine code runs within WAF and the policies are then enforced on the WAF.

This technology is a must-have for any web application firewall since it ensures absolute integrity and performance of the network. In other words, with the new type of virtual patches there are now no vulnerabilities in the applications and only a minimal risk of bypassing security policies. Such type of virtual patches have the potential to protect against all known web vulnerabilities, which includes:

o Denial of Service Attack: A denial of service attack occurs when a malicious attacker makes use of a system vulnerability in order to cause erratic or erroneous behavior on a particular web application request. The attacker may make use of a software package such as a vulnerability scanner or a program that extracts sensitive information. Once the information has been extracted, the attacker may then cause the application or the server to crash. The denial of service attack can be executed through a vulnerability of a software release, a server issue or a browser vulnerability. In all three cases, the attacker will be able to gain access to the application and will thus control it.

o Overflows / Overflows with security disclosure: Security flaws that occur through overflows can disclose information that may help attackers exploit the system. For example, if an application accidentally sends a large buffer containing an array of zero length lines (also called null pointers) to a server, this data may be collected by attackers and used for either data gathering or buffer manipulation. If a vulnerability that was patched is detected and the corresponding patches are applied, the security flaw will be exposed. However, with virtual patching, when such flaws are discovered, they are promptly repaired so as to prevent new vulnerabilities from being exploited.

o Denial of Service Attack: A denial of service attack is carried out through the exploitation of weak or corrupted networking connections. An attacker can send requests to the WinDriver Kernel using WinDriver API to generate requests to a driver that is controlled by the client device driver or application. When the WinDriver Kernel processes such request, it checks the logical connection and, if found imperfect, will return an error. Virtual Patching technology is based on the logic of such a technique to avoid the kernel from ever returning a logical error in the future.

Security concerns about WAF are high due to the fact that it can cause many different problems for the user and can deny access to resources even when the security rules have been applied. Because of this, it may cause system crashes and other undesirable results. In addition, a rule affected by a Vulnerability may cause the use of certain features that the user may require and could therefore cause performance issues.





CopyAMP code