Professional Documents
Culture Documents
Allow/Deny/Redirect Rules
• Define strict access control
rules for the services
Public Private – Rules are service-specific and
cannot be shared
• Cannot be shared among
Access Control services
Payments
• Two types of rules:
– Allow/Deny rules for URLs
– Allow/Deny rules for headers
Web Application
Allow/Deny/Redirect Rules
Request
Tommy Application
Response Server
Website Profiles
Request
Tommy Application
Server
Response
10
11
Adaptive Profiling
• Automatically learns the structure of a web application
– Based on requests and/or responses
• Creates the website profile based on the learned structure
12
Profile Optimizers
• Reduce the number of URL or Parameter profiles to
manage
• URL Optimizers: merge multiple URL profiles into one
• Parameter Optimizers: merge multiple Parameter profiles into one
/abc/page1.html
/abc/page2.html
/abc/page3.html Learning and optimizing…
/abc/page4.html
/abc/page*.html
param1
param2 param*
param3
param4
WAF
13
14
IP Reputation Filter
• Filters traffic from specific geographic regions / categories
to a service
– Geo pool
– Barracuda Reputation
– TOR nodes
– Anonymous proxy
Requests blocked
– Satellite provider
15
16
DDoS Policies
• Passively evaluate the clients to determine whether they are
suspicious
• The client tagged as suspicious will be forced to answer a
CAPTCHA
JS
WAF
Web Server
BOT
C4PtcH4
Requests blocked
17
reCaptcha Integration
• Domains
• Site Key
• Site Secret
Service
18
19
Content
• Role Based Administration
• Cloud Control
• Configuration Backup & Templates
• Default Patterns
• Encryption Key Settings
• Response Pages
20
21
Role-Based Administration
• Restricts access to system resources based on roles assigned to users
– Eight roles already preconfigured (cannot be deleted)
Objects
• Services
LDAP / RADIUS / SAML V2 Operations
• Security Policies
• Auth. Services
• Read
User Role
• Write
• Web Interface
Internal DB
22
23
Cloud Control
• Monitor and configure multiple Barracuda Networks
products from one cloud interface
• The same tabbed pages are available for managing all
aspects of your Barracuda Networks product
WAF
Barracuda Admin
Browser
Cloud Control
24
25
Configuration Backup
• Can be used for backup purposes
• Upload to another Barracuda Web Application Firewall
• Cloud
• FTP /
Every
FTPS
day
WAF • SMB
5:00 a.m.
• Local
System • AWS S3
Destinations
Configuration
26
Templates
• A collection of configuration components arranged serially in a file
• Can be used as a model across policy revisions or across
units
Service1 Service1
URL Policies URL Policies
Service2
Composite Full
URL Policies Template
Template
WAF_Dev WAF_Prod
27
28
29
30
Key Value
WAF
Key Expiration
Time
31
32
Response Pages
Browser
Response Message
Error
Captcha
Access Control
Other
Pages
33
34
Agenda
• API Services
• API Discovery
• JSON Security
• GraphQL
• XML Firewall
• JWT Validation
• API Attack Actions
35
36
API Services
Software systems designed to support interoperable machine-
to-machine interaction over a network (W3C)
• JSON
• GraphQL
• XML
HTTP Request
Web
Service
Application A Application B
DB: Oracle HTTP Response DB: MSSQL
Linux + JAVA Windows + ASP
37
REST Services
REST => Representational State Transfer
XML
JSON
HTTP [any method] Request GraphQL
…
XML
Service Service
JSON
Requester HTTP Provider
GraphQL
… Response
38
API Services
Tommy
Front-end Application Back-end Application
Attacker Payload
39
API Services
• Separate service for front end and back end
• Front-end application communicates with Service 2
Back-end Application
40
API Server
Inbound Outbound
Inspection Inspection
41
JSON Security
Request
Tommy Application
Server
Response
42
43
WAF
Administrator API Spec
44
Endpoint Discovery
• Requires ABP license
• Automatically identifies API endpoints
– Review endpoints • JSON Policies
– Fine-tune parameter • JSON Key Profiles
• URL Profiles
• Header ACLs
• DDoS Prevention
WAF
Web Application Web Application
45
46
47
JSON Security
• Ensures that attacks are not tunneled inside HTTP requests
with JSON content
• Easy Open API integration Requests blocked
48
JSON Profile
• Enforces input validations and additional security checks
• Manual creation or generated from uploaded API specs
HTTP Request
Service
Application/JSON
JSON Profile
JSON Policy
WAF
49
JSON Policy
{
“firstname”: “tommy”,
Max Keys “lastname”: “reed”,
“age”: 35 Max Number Value
“contacts”: [
“phoneNumbers”: [
{
"type": "office",
"number": “456 555-7897"
Max Tree Depth }, Max Array Elements
{
"type": "mobile",
"number": "123 456-7890"
}
],
“address”: {
Max Value Length (string)
"streetAddress": “Lost street 23",
Max Siblings "city": “Campbell",
"state": “CA", Max Key Length
"postalCode": "10041-4100"
},
]
}
JSON File
50
JSON File
51
52
GraphQL
53
REST JSON
REST JSON
54
Common Attacks
• Injection
– SWL and NoSWL injection
– OS command injection
– SSRF / request smuggling
• DoS
• Exposure of sensitive data
55
GraphQL Security
GraphQL WAF
Attacker
Web Server
56
57
<XML>
• Schema Poisoning
• XML Parameter Tampering
HTTP • Inadvertent XDoS
• External Entity Attack
• Processing Instructions Service Provider
Attacker
• ….
58
59
XML Firewall
<XML>
<>…</> Service
HTTP
<user>http://hackerland.com</
user><>…</> XML Firewall Service
Attacker Provider
WAF
60
Schema
Schema XML
<XML> Schemas Validations
http://bigfishinc.org/v1/service SOAP
Message
WSDL
WS-I
Service
Validations
http://bigfishinc.org/api/users/reg <XML>
SOAP
Validations
XML Firewall
WAF
61
XML Validations
<breakfast_menu>
<food category=“breakfast">
Max Tree Elements <name>Belgian Waffles</name>
<price>$5.95</price>
<description>Two of our famous Belgian
Waffles</description>
Max Tree Depth <calories>650</calories>
</food> Max Attribute Name Length
<food category=“breakfast">
<name>Strawberry Belgian Waffles</name>
<price>$7.95</price>
Max Element Name Length
<description>Light Belgian waffles</description>
<calories>900</calories>
</food>
</breakfast_menu>
62
63
WAF
Host: www.cudau.og
URL: /cgi-bin/badsore.cgi
API
JSON Web Token Profile
Internal Endpoint
64
65
66
67
HTTP Requests
Attacker WAF
Firewall Web Servers
198.51.100.254
API
Offender IP 198.51.100.254
Traffic
Dropped
68
Prerequisites
• CloudGen Firewall • Web Application Firewall
– Firmware 7.0+ – Firmware 9.0+
– Admin user for accessing the – Able to reach the CloudGen
REST API Firewall
– REST API engine configured and – Configured to use the
running CloudGen Firewall as upstream
– App Redirect rule to allow the firewall
WAF – Action Policies set to block IP
to access the REST engine as follow-up action
– Access rule with source
CustomExternalObject4 set to
block/drop
69
70
Scan
Report WAF
Scanner Web App
71
72
WAF
Vulnerability Scanners
73
Vulnerability Reports
Assessment
74
Recommendations
Recommendations
75
76
Scan
Admin
Barracuda Internet Web App
Report Vulnerability Manager
WAF
77
The Scanner
Barracuda
Vulnerability Manager
Scanner
78
Reports
• Online reports are interactive
• Actions on issues can be tracked
79
80
Scan
WAF
Barracuda Internet Physical/Virtual/Cloud
Web App
Vulnerability Remediation
Service
WAF Configuration & Profiles
81
WAF Configuration
Configuration
WAF
Web App
82
83
Scan finished
Report generated
Mitigate SQL
Admin
in email field
Online Vulnerability Report
Barracuda
Vulnerability Remediation
Service
Changing WAF Configuration
WAF
Web App
84
Enforcing
Logs
Service (active)
Security Settings (active)
WAF
85
Enforcing
Logs
Service (active)
Security Settings (active)
New Security
Users Traffic Web App
Settings (active)
WAF
86
Notifications
Email
Barracuda
Admin
Vulnerability Remediation
Service
87
The Scanner
Barracuda
Vulnerability Remediation
Service
Scanner
General
Crawler Scan Elements Authentication Exclusions
Settings
88
Interference Prevention
Scan
89
Service (active)
Security Settings (active)
Scan
Trusted hosts
Barracuda Internet Web App
Vulnerability Remediation
Service WAF
90
Enforcing
Scan
Service (active)
Security Settings (active)
91
92
Domain Verification
Prevents unlawful scans on a web application (website)
without express permission from its owner or operator
Verification Methods
93
Scan www.bigfishinc.org
Barracuda
admin@bigfishinc.org
Admin
https://[verificationlink]
94
Scan www.bigfishinc.org
Web Server
95
Scan www.bigfishinc.org
96
Scan www.bigfishinc.org
97
98
Scan www.bigfishinc.org
Barracuda
Vulnerability Remediation WAF
Service
Internet
Access Logs
99
100
Content
• Why client-side protection?
• Content Security policy
• Sub-resource integrity
101
102
103
Third-party
open-
source
repository
Barracuda WAF
Browser
Web server
104
105
106
107
CSP Example
108
CSP Directive
Default for all directives, e.g., JavaScript, CSS,
Default-src
AJAX, frames or HTML 5 media
109
CSP Sources
None Blocks content from all sources
110
111
Sub-Resource Integrity
Third party opensource
• Creates integrity token for third-party resources repositories
• JavaScript modules etc.
– Header inserted into response
– E.g., JS, CSS,… # sha256-PgrwROwuZhlsVg
Barracuda WAF
Browser
Web server
112
Thank You
113