Web Application Firewall

Network Security Spring 2021
Due


The goals of this assignment are to:

  1. Discover vulnerabilities in a web application
  2. Build a web application firewall to detect exploits of these vulnerabilities
  3. Use CSP and CORS to prevent exploitation

Web Application Firewall

A web application firewall (WAF) is a layer 7 proxy that mediates HTTP requests and responses in order to detect and prevent attacks. WAFs have become increasingly popular over the years—e.g., they are mandated by industry security standards such as PCI DSS. There are many commercial and open source WAFs (e.g., ModSecurity) available today. In this assignment, you will implement your own version to defend against latent vulnerabilities in a specific web application. A mitmproxy plugin, as described in the HTTP interception lab, is recommended for this purpose.

Vulnerable Web Application

This application is packaged as a single container image in Canvas labeled netsec-waf.img.zst, and can be unpacked as usual. This image contains two servers, a main application server and an API server. Both of these must run concurrently in order for the application to work correctly:

$ docker run -it -d --name waf-main -p 5000:5000/tcp netsec-waf main
$ docker run -it -d --name waf-api -p 5001:5001/tcp netsec-waf api

In addition, these applications assume that they are run on two origins: http://www.waf.netsec:5000 and http://api.waf.netsec:5001. Thus, you must modify your /etc/hosts file to contain mappings for these domains to your loopback interface by adding a line like the following:

127.0.1.1   www.waf.netsec  api.waf.netsec

Once the application is running, you will need to perform black-box testing of the web application in order to identify the vulnerabilities. There may be one or more vulnerabilities present.

Attack Detection

The first defense your WAF must implement is detection of XSS payloads in HTTP traffic to and from the application. You are free to use either anomaly detection or signature detection. However, your WAF must detect both exploitation of the injection vulnerability in the application as well as transmission of attack payloads to victim browsers. If an attack is detected, the offending request or response must be dropped.

CSP and CORS

The second defense your WAF must implement is to dynamically rewrite requests and responses to make use of CSP and CORS. In particular, your WAF must add CSP to responses that implement the tightest possible default-deny policy. In a similar vein, your WAF must add CORS policies to relevant messages as well. The composition of your CSP and CORS policies must prevent exploitation of the vulnerabilities you have identified in the application.

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should have the following structure:

$ tree -F waf
waf
├── Dockerfile
└── src/

The root directory must be named waf, and the source code to your solution should be contained in src/. Your Dockerfile should produce an image that launches your WAF on port 8080/tcp when run as follows:

$ docker run -it --rm --name waf \
    -v ${hosts_file}:/etc/hosts:ro \
    -p 8080:8080/tcp \
    ${image_name}

As shown above, your WAF will be given a hosts file that allows it to resolve the application origins.

Submit the solution archive to Canvas.