App Firewall Settings
WAAS Firewall settings control the application firewall’s protections, actions and exceptions.
The following protections are available for Container, Host and App-Embedded rules. Serverless rules have a limited set of protections focusing mostly on OWASP Top-10 attacks.
OWASP Top 10 Protection
WAAS offers protection for the critical security risks described in the OWASP Top Ten list.
An SQL injection (SQLi) attack occurs when an attacker inserts an SQL query into the input fields of a web application. A successful attack can read sensitive data from the database, modify data in the database, or run arbitrary commands.
WAAS parses and tokenizes input streams (request data) and then detects malicious attempts to inject unauthorized SQL queries.
Cross Site Scripting
WAAS parses and tokenizes input streams (request data) and then searches for matching fingerprints of known malicious attack patterns.
Command & Code Injection
Command injection is a form of attack in which attackers attempt to run arbitrary commands on the web application’s host. Code injection is a form of attack in which code is injected and interpreted by the application or other runtimes. Command and code payloads are either injected as part of HTTP requests or included from local or remote files (also known as File Inclusion).
WAAS inspects all HTTP requests sent to the application and protects against all types of injection attacks as well as local file inclusions.
Prisma Cloud architecture facilitates defense in-depth via multiple protection layers. Enabling Runtime Protection in addition to WAAS would allow profiling of the application and identifying any anomalies resulting from command or code injections (e.g. unexpected new processes or DNS queries)
Local File Inclusion
Local File Inclusion is a form of attack in which attackers attempt to gain unauthorized access to locally stored sensitive files on the web application host. Such access attempts are often made using directory traversal attacks or exploiting file inclusion vulnerabilities in the application.
WAAS inspects all HTTP requests sent to the application for local file inclusion attacks aiming at sensitive system files as well as other various traversal attempts.
Attack Tool & Vulnerability Scanners
Vulnerability scanners are automated tools that scan web applications for known security vulnerabilities and misconfiguration.
Web crawlers are automated tools designed to systematically access and enumerate the content of web applications. Crawling can lead to data breaches by exposing resources that should not be publicly available, or revealing opportunities for hacking by exposing software versions, environment data, and so on.
WAAS is continuously updated with new signatures of widely used web attack arsenal, crawlers and penetration testing tools.
WAAS is able to enforce API security based on specifications provided in the form of Swagger or OpenAPI files. WAAS also allows for manual API definition. E.g. paths, allowed HTTP methods, parameter names, input types, value ranges, etc. Once defined, users can choose WAAS actions to apply for requests which do not comply with the API’s expected behavior.
For further detail on configuring API protection please refer to the API Protection help page.
Shellshock is a unique privilege escalation vulnerability that permits remote code execution. In unpatched versions of the bash shell interpreter, the Shellshock vulnerability lets attackers create environment variables with specially crafted values that contain code. As soon as the shell is invoked, the attacker’s code is executed.
WAAS checks for requests that are crafted to exploit the Shellshock vulnerability.
For more information about Shellshock, see CVE-2014-6271.
Malformed Request Protection
WAAS validates the structure of HTTP requests, automatically blocking those that are malformed.
Examples of malformed requests include:
- HTTP GET requests with a body.