Automated Testing of Web Application Firewalls

Appelt, Dennis; Nguyen, Duy Cu; Briand, Lionel

Reference : Automated Testing of Web Application Firewalls


	Document type :	Reports : Other
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/26231

Title :	Automated Testing of Web Application Firewalls
Language :	English
Author, co-author :	Appelt, Dennis [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Nguyen, Duy Cu [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Briand, Lionel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Publication date :	Mar-2016
ISBN :	978-2-87971-148-5
Report number :	TR-SnT-2016-1
Keywords :	[en] Security Testing ; Reliability ; Web Application Firewalls
Abstract :	[en] Web application firewalls (WAF) are an indispensable mechanism to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their increasing sophistication require WAFs to be updated and tested regularly as otherwise they will be circumvented. In this paper, we focus our research on WAFs and SQL injection attacks, but the general principles and strategy could be adapted to other contexts. We present a machine learning-driven testing approach to automatically detect holes in WAFs that let SQL injection attacks bypass them. At the beginning, the approach can automatically generate diverse attacks (tests) and then submit them to a system that is protected by a WAF. Incrementally learning from the tests that are blocked or accepted by the WAF, our approach can then select tests that exhibit characteristics associated with bypassing the WAF and mutate them to efficiently generate new bypassing attacks. In the race against cyberattacks, time is vital. Being able to learn and anticipate more attacks that can circumvent a WAF in a timely manner is very important in order to quickly fix or fine-tune protection rules. We developed a tool that implements the approach and evaluated it on ModSecurity, a widely used WAF, and a proprietary WAF that protects a financial institution. Evaluation results indicate that our proposed technique is efficient at generating SQL injection attacks that can bypass a WAF and can be used to identify successful attack patterns.
Research centres :	University of Luxembourg: High Performance Computing - ULHPC ; Interdisciplinary Centre for Security, Reliability and Trust
Funders :	Fonds National de la Recherche - FnR
Target :	Researchers ; Professionals ; Students
Permalink :	http://hdl.handle.net/10993/26231
FnR project :	FnR ; FNR4800382 > Dennis Appelt > > Black-Box Security Testing for Web Applications and Services > 01/10/2012 > 30/06/2016 > 2012

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Limited access	report.pdf		Author preprint	1.48 MB	Request a copy

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices