One of the questions that I keep getting asked is “If I use a Web Application Firewall (WAF), should I still fix the issues that we found in a penetration test?” To answer this question, we need to understand what a WAF does. The WAF is a firewall, but this one intercepts all the HTTP(S) traffic and tries to keep the harmful requests from reaching the web/app server. So, your application should never, at least in theory, see any of the attacks. But this not always the way it works.
Most WAFs work by intercepting the traffic and inspecting all HTTP requests for harmful content. But how do they know what is harmful and what is not? Well, some of the harmful things are obvious. For example, if a HTTP request comes with a script tag in one of the form fields or it contains a SQL command, it is almost always harmful. These signatures are built into the WAF. But then, a lot of attacks are not very straight forward. They use masking techniques to hide the attack.
Another problem is that sometimes, application functionality will require HTML tags or scripts. For instance, it could be an online website management application which allows “through the web” (TTW) editing. The application becomes useless if the WAF stops HTML and scripts from reaching the server. So, the solution is to have a learning mode. In this mode, they will try to understand the application and create a profile for it. If it regularly sees certain HTML tags pass during the learning period, they will allow those same tags when they are in active mode too (when they are actually supposed to be protecting the application).
Now, when the WAF is in learning mode, it is very important to make sure that only the valid values are supplied and also all the valid values are supplied. If an invalid value is supplied by mistake, it is very probable that the same value will also be allowed in active mode, possibly allowing an attack to pass through. The other thing to consider is that most web applications are not static. Functionality gets added, modified or removed. While the WAF will try to keep up, over time, it can get very complicated.
One more thing I have seen is that developers get complacent in the knowledge that the WAF is going to protect them even if they cut corners in their code. That is a sure recipe for disaster in the long run.
So, WAF is not the silver bullet that we thought it was. I normally recommend WAFs as a short term solution while the developers work on fixing the code and making them more secure by design.