OWASP CORAZA WEB APPLICATION FIREWALL

OWASP CORAZA WEB APPLICATION FIREWALL José Carlos Chávez Software Engineer @ Tetrate ● Peruvian ● Open source enthusiast ● OWASP Coraza WAF Co-leader ● Zipkin core member ● Loving father @jcchavezs

What is a Web Application Firewall? @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL Traditionally a WAF: ● Helps to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. ● Protects web applications from malicious traffic such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others. ● It is a protocol layer 7 defense (in the OSI model) acting as a reverse-proxy having clients pass through the WAF before reaching the server. @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs WAF SERVER ATTACKER APP DEVICE

OWASP CORAZA WEB APPLICATION FIREWALL WAF Features: 1. IP Fencing: Deny specific IP through a denylist. 2. Geo Fencing and Geo Blocking: Creates a virtual perimeter around a specific geographical area using GeoIP databases. 3. Request/Response inspection: Examines request/response elements matching them with known malicious values to distinguish between legitimate and malicious requests. Avoids zero-day attacks, client-side attacks, bot attacks, virus files, etc. @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL 4. Security Rules: ○ SQL Injection ○ XSS Attacks ○ Local and Remote File Inclusion 5. Anomaly scoring: If a rule matches, WAF applies a score for each deviation: ○ A simple deviation like a misspelled URL might only receive a low score. ○ A more serious one, e.g. an attempt to inject SQL code, receives a higher score. @jcchavezs ○ Size Restrictions ○ Command Injection ○ Unknown Bad Inputs

OWASP CORAZA WEB APPLICATION FIREWALL 6. DDoS Rate Limiting: Restricts the number of requests that a particular IP address can send to a server within a given timeframe. The rate limit is typically set based on a predetermined threshold that is considered safe for normal traffic, and any requests that exceed this limit are blocked. 7. Bot Mitigation: Analyzes cookies sent by the browser and check them to the databases of known bot cookies. Some examples: ○ CAPTCHA challenges ○ Bot Pretender ○ Web Scraping Protection ○ Bot Intelligence @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL There was a time when security was easy. “I need more security – I will just buy another firewall” @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL ● There is no single, easily identifiable perimeter for the enterprise: cloud, on-prem, multi-cloud, third-party services, FaaS, artifact registries, etc. ● In the times of microservices the majority of the traffic is East-West whereas perimeter security focus on North-South. ● Gateways have to carry knowledge about the upstream components which ends up in adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc. ● The guiding principle of perimeter security is "Trust but Verify" @jcchavezs

Zero Trust @jcchavezs

Zero (implicit) Trust @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL Zero Trust Tenets (7) that benefit from a Web Application Firewall: 5. Integrity and Security Posture ● Every resource request should trigger a security posture evaluation. ● When identify an attack, apply network patches and vulnerability remediations. 7. Collect info on current state of communications ● Continuous monitoring the audit logs from traffic and improve the security posture. @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL @corazaio

OWASP CORAZA WEB APPLICATION FIREWALL What is Coraza WAF? ● An open source Web Application Firewall ● Written in Go ● Inspired in Modsecurity (EOL July 2024), supports seclang ● Focused on OWASP Coreruleset v4: Newest and shiniest CRS ● Version 3.0 allowed the Production Flagship from OWASP. @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

Is Coraza an extension of Modsecurity’s agony? @jcchavezs

Different in the inside: ● Actions are programmatically assigned, and they will run on demand. ● Coraza caches transformation outputs to avoid repeating the same transformation multiple times in a single transaction. ● Rules are immutable: Multiple transactions can consume the same rules with no risk of side effects. ● Focused on performance and high throughput. OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

Different on the outside: ● Plugins: Actions, Transformations, Operators, Audit Loggers, and Body Processors can be extended with an experimental API. ● Response Body Processing is available. ● The URL path is a variable allowing route like protection. ● Multiplatform connectors: ○ Native Go, Caddy, haproxy, Traefik (WIP) ○ Envoy, Istio, Kong and APISIX using proxy-wasm spec ○ Fully compatible with Webassembly OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

On Webassembly: ● Allows to run Coraza in very varied stacks through a Wasm runtime e.g. Native Go, Envoy (C++) and Coraza Playground (Browser) ● Leverages Coraza as part of the Policy Enforcement Point (PEP) in Zero Trust deployments, specifically in sidecars in the Service Mesh based systems. ● Allows to choose libraries on different languages based on its performance (polyglot Wasm). ● Promotes portability and distribution of Coraza as a wide organization policy without requiring application changes. OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

What is next? ● Version 3.1 ● Directives API ● coraza-http-wasm ● Lazy load for regexes ● More regex support for variables (e.g. SecResponseBodyMimeType and ctl) ● Yet more connectors OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs

coraza.io | github.com/corazawaf | @corazaio

OWASP CORAZA WEB APPLICATION FIREWALL @jcchavezs