Stateful Web Application Firewalls with .NET

• By Shreeraj Shah
• Feb 9, 2007

From the author of
Web Hacking: Attacks and Defense

A Web Application Firewall (WAF) is emerging as the first line of defense for Web applications. A WAF provides sound content filtering on both incoming and outgoing HTTP(S) traffic. Its working is simple: It looks for malicious attack vectors arriving at the Web application—vectors that can contain payloads for SQL injection, Cross-Site Scripting, LDAP, or OS command injection. WAF compares each incoming request with its own rule or signature database. Another important aspect of WAF is its logging and auditing capability, which is most useful in Web application forensics and activity measurement.

Problem Domain

A WAF is usually stateless and cannot provide session-based stateful defense for Web applications. WAF treats each incoming request independently without considering the state of the request. Each HTTP request arriving at the Web application may have states that can be defined by internal session variables. These states can be maintained over the network by using session cookies that are passed by the Web application to respective clients.

Here’s an example. Consider of the various banking transactions being carried out by a customer with a valid account. John makes a first request to his banking login page and gets a session cookie along with the login page. Simultaneously, the application creates a session variable login in memory and sets it to untrusted.

Now John makes a second request that includes his credentials (a username and password combination). The state of this request would be untrusted for the Web application. The application verifies the credentials against those stored in the backend SQL Server database and authenticates the user. The application then alters the state of the login variable in memory to successful and sets other session variables as well. In a similar manner, each incoming request may alter the state of the application depending on its logic. Subsequent HTTP requests would have different states.

To reiterate, each HTTP request can have a specific state, and these states can be mapped to internal session variables. But what if a rule set based on the state of the HTTP request needs to be built? One of the approaches to resolving this problem is to build a firewall module with access to session variables. Each incoming request can then be analyzed against this session-based rule set prior to being served the response.

Our objective here is to build a stateful WAF using HttpModule on the .NET framework.