AWS WAF (Web Application Firewall)
is a security service that helps protect web applications from common web exploits and vulnerabilities. It provides several key features and resources, including developer guides, API references, managed rules, and fraud control strategies. Below is a detailed overview of the available resources and features of AWS WAF
1. SQL Injection (SQLi)
Description: SQL Injection is a code injection technique that exploits vulnerabilities in an application’s software by injecting malicious SQL code into a query. This can manipulate the application’s database, allowing attackers to view, modify, or delete data without authorization.
How it Works: An attacker typically inserts or “injects” SQL code into an input field (like a search box) that is then executed by the application’s database server. If the application does not properly sanitize the input, this injected code can alter the intended SQL query.
Prevention:
- Use parameterized queries or prepared statements.
- Employ stored procedures.
- Validate and sanitize user inputs.
- Use web application firewalls (WAFs).
Example:
Input: ' OR '1'='1
Query: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
This query returns all records from the users
table because 1=1
is always true.
2. Cross-Site Scripting (XSS)
Description: XSS vulnerabilities occur when an attacker is able to inject malicious scripts into web pages viewed by other users. These scripts can be used to steal cookies, session tokens, or other sensitive information, and even perform actions on behalf of the user.
Types:
- Stored XSS: Malicious script is permanently stored on the target server (e.g., in a database).
- Reflected XSS: Malicious script is reflected off a web server, such as in a search result or error message.
- DOM-based XSS: Vulnerability exists in the client-side code rather than server-side code.
Prevention:
- Escape or encode output.
- Use Content Security Policy (CSP).
- Validate and sanitize user inputs.
- Use frameworks that automatically escape XSS (e.g., React.js).
Example:
<script>alert('XSS');</script>
This script runs when the page is loaded, displaying an alert box.
3. Cross-Site Request Forgery (CSRF)
Description: CSRF attacks trick a user into executing unwanted actions on a web application in which they are authenticated. This can be done by embedding malicious requests in web pages, emails, or other channels that the user unknowingly triggers.
How it Works: The attacker induces the victim to send requests that include their session cookie or other credentials, making the server believe these requests are legitimate actions from the authenticated user.
Prevention:
- Use anti-CSRF tokens.
- Check the Referer header.
- Implement same-site cookie attributes.
- Require re-authentication for sensitive actions.
Example:
<img src="http://victim.com/transfer?amount=1000&to=attacker" />
When this image is loaded, a request is sent to transfer money.
4. Remote Code Execution (RCE)
Description: RCE occurs when an attacker is able to execute arbitrary code on a server or another user’s device. This can lead to a complete system compromise, allowing the attacker to take full control.
How it Works: This exploit can be introduced through a variety of vectors, including input fields, file uploads, and vulnerable libraries or dependencies.
Prevention:
- Keep software and dependencies up to date.
- Use input validation and sanitization.
- Apply the principle of least privilege.
- Employ secure coding practices.
Example:
Input: ; rm -rf /
Query: eval($input);
This input could potentially delete critical system files if not properly sanitized.
5. Directory Traversal
Description: Directory traversal, or path traversal, attacks allow an attacker to access files and directories that are stored outside the web root folder. By manipulating variables that reference files, attackers can access sensitive files and data.
How it Works: Attackers use sequences like ../
to traverse up the directory tree and access restricted files.
Prevention:
- Validate and sanitize file paths.
- Use a whitelist of allowed files and directories.
- Implement proper access controls.
- Use secure APIs that abstract file access.
Example:
GET /../../etc/passwd HTTP/1.1
This request attempts to access the /etc/passwd
file on a Unix system.
6. Insecure Deserialization
Description: Insecure deserialization vulnerabilities occur when untrusted data is used to abuse the logic of an application, inflict denial of service (DoS) attacks, or execute arbitrary code.
How it Works: An attacker provides serialized data that, when deserialized by the application, executes malicious code.
Prevention:
- Avoid deserialization of untrusted data.
- Implement integrity checks with digital signatures.
- Isolate and sandbox deserialization code.
- Use libraries and frameworks that are known to be secure.
Example:
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedData));
Object obj = ois.readObject();
If serializedData
is controlled by an attacker, it could lead to RCE.
References
- OWASP Top Ten Web Application Security Risks
- PortSwigger Web Security Academy
- SANS Institute Web Application Security
- Acunetix Web Vulnerability Scanning
These resources provide in-depth information on web security vulnerabilities and mitigation strategies.