The first post in the series began with the earliest web application firewalls that were essentially stateless pattern matching engines, and when the limitations of treating requests in isolation became clear, the industry built the stateful WAFs described in the second post. Standard stateful WAFs work by trying to model the application behavior. When the model isn’t perfect, a stateful WAF will generate an alert, and possibly a false positive.
Some of the most devastating attacks against applications are injection attacks, when code is made to run when it’s “not supposed to.” Command injection is when attackers are able to execute unauthorized shell commands, and its cousin, SQL injection is when an attacker is able to run commands to compromise a database. (One of the funniest explanations of SQL injection is XKCD #327.)
SQL is a huge, sprawling language, which makes it difficult to find all the “bad” things that can go wrong. Every SQL implementation is slightly different, and the syntax of standard SQL is sprawling (see the most well-known effort to formally document the grammar of standard SQL). In 2012, to bring some order to the morass of regular expressions, libinjection was first released, and it was an important step forward because it was able to distill SQL attacks into a set of patterns. Essentially, libinjection elevates the level at which signatures operate at, making it possible to apply the same technology in a more efficient manner.
Another way in that second-generation WAF technology applied automation is in blocking. Rather than require skilled security analysts to examine reports, IP reputation services are used to classify the source of traffic. Network addresses that are a source of attacks or undesirable behavior can be labeled as malicious, allowing security operations teams to focus on many fewer events.
Even with improvements in automation, this wasn’t quite enough to address all the shortcomings of second-generation WAFs. To fully integrate application protection, we need even richer technologies. For the final step in the story, stay tuned as we put the final pieces into place to reach the state of the art.