Research, Testing, and Mitigation Solutions for Web Application Firewalls Evasion Techniques

In today's digital age, web application security is a priority for organizations of all sizes and industries. Web Application Firewalls (WAFs) are a critical component in defending web applications against threats and attacks. However, like all security tools, they are subject to different evasion techniques that put the security of web applications and sensitive data at risk. This thesis addresses the challenge of WAFs evasion techniques through a combination of research, experimentation and development of mitigation solutions. The first part of this thesis will introduce web applications security describing some of the most common vulnerabilities that can affect them such as SQL injection and Cross-Site Scripting (XSS). Then, we will see how Web Application Firewalls can be used to stop attackers from exploiting some of those vulnerabilities while waiting for the developers to patch them. In this part, particular attention will be put on ModSecurity, an open-source Web Application Firewall, and the Core Rule Set, a set of rules developed by the OWASP foundation to configure ModSecurity. The third part of the thesis will contain a research on some of the most common and effective techniques to bypass Web Application Firewalls protection. Techniques such as character encoding, HTTP request smuggling and impedance mismatch will be explained in detail using some real world examples. The last part of the thesis contains the active experimentation and testing of Web Application Firewalls evasion techniques on a controlled environment. The testing process involves using a known vulnerable application, the OWASP Juice Shop, protected by ModSecurity configured with the Core Rule Set. In this phase we will not only concentrate on bypass techniques, but we will also see how Web Application Firewalls fail to protect web applications from some kinds of vulnerabilities, such as business logic ones. For every bypass technique that is proven successful in this phase, we will also try to understand why it was possible and how to prevent it. The ultimate goal of this thesis is showing how attackers are able to bypass Web Application Firewalls protection to exploit vulnerabilities in order to understand how to stop them and improve the overall attack detection capabilities of these tools by implementing countermeasures for the evasion techniques seen.