Data breaches in the modern world are terrifyingly familiar, and businesses face a relentless 24/7 task to protect their website, applications, and infrastructure. Merely having an online presence is enough to make your organization the target of cyber threats.
As the number of individuals affected by data breaches has more than quadrupled over the last decade, WAF solutions have swooped in to help. The web application firewall market is expected to grow at a CAGR of 16.92% and leap to a valuation of $8.06B in 2026 in response to the unsettled cybersecurity landscape.
WAF testing alone is extremely valuable in evaluating the effectiveness of your web application firewall. It is equally crucial when implemented as part of a layered approach to cybersecurity, so much so that WAF testing and pentesting are often combined in one unified strategy.
What is WAF testing?
A Web Application Firewall (WAF) is a critical component of web security that monitors, filters, and blocks HTTP traffic between a web application and the Internet. It acts as a barrier between your web application and potential cyber threats, protecting against cross-site scripting (XSS), SQL injection, and more.
WAF testing is a systematic approach to evaluating the effectiveness of a Web Application Firewall in detecting and mitigating potential security risks. The primary goal is to ensure that the WAF and its rules are configured correctly and capable of defending against evolving cyber threats. This process involves simulating attacks to assess how well the WAF identifies and blocks malicious traffic.
Blocklist vs. Allowlist WAFs
Blocklist and allowlist are two distinct approaches WAFs use to filter and control incoming traffic.
Blocklist WAFs: Blocklist WAFs operate on a blacklist principle, maintaining a list of known malicious entities, patterns, or signatures. The WAF is configured to identify and block traffic that matches these predefined criteria.
Allowlist WAFs: Allowlist WAFs, also known as whitelists, take a more restrictive approach. They only allow traffic that matches predefined criteria, effectively permitting only pre-approved entities and patterns while blocking everything else.
WAF Testing vs Penetration Testing
A penetration test, or pentest, is a simulated cyber attack designed to uncover vulnerabilities within a system. The collaboration between these two methodologies enhances overall security posture, comprehensively evaluating a web application's resilience against diverse threats.
There are many reasons why pairing WAF testing with pentesting offers a holistic view of both your application's vulnerabilities and the efficacy of your protective measures:
Identify more vulnerabilities: Combining WAF testing and pentesting ensures that both known and unknown vulnerabilities are identified and mitigated. This strategy is particularly successful when you choose a preemptive WAF like open-appsec that protects against zero-day attacks as well as common OWASP Top 10 threats.
Real-world simulation: Pentesting provides a real-world scenario of how an attacker might exploit vulnerabilities, which helps you understand the effectiveness of the WAF under actual attack conditions.
Compliance: Many regulatory standards like PCI DSS and GDPR require both proactive and reactive security measures, which WAF and pentesting provide together.
Continuous improvement: Pentesting can provide insights into how to fine-tune WAF rules and configurations, leading to improved overall security over time.
The collaboration between these two methodologies enhances the overall security posture, comprehensively evaluating a web application's resilience against diverse threats.
Dangers of a Breached Application Firewall
If a firewall for a web application gets breached, it can open the door to various threats and put sensitive data in the firing line. Here are some of the most common (and treacherous) risks of firewall breaches.
Data Breaches and Unauthorized Access A compromised firewall may allow unauthorized access to sensitive data, leading to data breaches. The best WAF solutions act as a barrier against unauthorized access by monitoring and filtering incoming traffic, helping prevent common attacks, and reducing the risk of data exposure.
Application Layer Attacks Firewalls might be vulnerable to application layer attacks like buffer overflows, code injections, and file inclusions. WAFs are specifically designed to protect you against such attacks by analyzing and validating HTTP traffic.
Zero-day Exploits Zero-day exploits focus on vulnerabilities that the software creator doesn't know about, which can make standard security tools, like firewalls, less valuable. Most common WAF solutions cannot prevent zero days as they are based on signatures, while open-appsec can effectively prevent those as it’s based on ML without using signatures.
DDoS Attacks DDoS attacks can overwhelm a firewall, causing service disruptions and making applications inaccessible to legitimate users. WAFs can help mitigate the impact of DDoS attacks by implementing security measures like rate limiting and IP blocking to identify and filter out malicious traffic.
Bot Attacks Bot attacks use automated scripts to perform fraudulent and malicious actions on your website, APIs, servers, and other endpoints, leading to disruption like downtime and financial losses. Choose a WAF that identifies and stops automated bot attacks before intrusion, theft, or harm to customer experiences.
How to Perform WAF Testing on Your Application Firewalls
Let's see how to protect web applications & APIs in Kubernetes by adding open-appsec to a Kubernetes Ingress Controller.
For this example, let's consider an application vulnerable to an SQL Injection attack.
Step 1 - Download & Install open-appsec
Download open-appsec using the below command:
wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
Then, run the below command to install open-appsec. You can continue with the default configurations for installation, and it will take a couple of minutes to complete.
./open-appsec-k8s-install
Step 2 - Verify the Installation
Now, you can verify the installation of open-appsec by running the SQL injection query again. open-appsec will prevent such attempts by checking incoming requests before forwarding them to the application. Hence, you should get a 403 Forbidden error.
Step 3 - Centrally Manage Deployments
Connect the open-appsec Agent that you have installed to the SaaS Management to centrally manage deployments of open-appsec. Follow the below steps for that:
Sign up and log in using email/password, Google, or GitHub. You will see the Getting Started Page:
Check "I deployed an Agent".
Click Manage and select Kubernetes Profile. You will now see the profile page.
In the "Management" section, select "This management" to switch to centrally managed mode. Then, follow the instructions in the "Connect Existing Deployment" section.
Step 4 - Monitoring Events
All the events are now also sent to the cloud, and you can monitor them in the Web User interface. Click "Monitoring" at the top menu and then click on "Important Events". You should now see the event in the table. You can double-click the event to drill down and see the details.
That's it. You can use these monitoring data to decide whether your WAF is reforming as expected or make adjustments to improve the firewall.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
