Editor's note (Oct 2022): This post has been updated and republished on the Halo Security blog. View updated version ➝
Web Application Firewalls (WAFs) can be a key layer of defense in protecting web applications, but they do not eliminate the need for automated scanning and manual penetration testing.
Unfortunately, WAFs present several challenges that can hinder security testing engagements. For that reason, when you initiate a penetration test it’s important to add the testers to your WAF allowlist. This will permit their specific IP(s) to access the application without the WAF interfering, while still providing protection against other external network traffic.
In this post, we’ll break down the reasons why it’s so important to add testers to the allowlist, and help you understand the challenges testers may face if you do not do so.
Here are the top 5 challenges that we run into when testing an application with a WAF:
Time spent on workarounds
First off, one of the biggest challenges that WAFs present during a pentest is that they often force testers to spend time on workarounds. If the tester is prevented from accessing the site by the WAF, they’ll have to spend additional time rotating IP’s/VPN to access it.
In addition, if your WAF has rate limiting in place, the tester will be limited in the number of requests they can send, which can further extend the duration of testing.
When a tester finds an issue, they may not be able to replicate it due to interference from the WAF. In this instance, additional steps may be required to verify the issue without triggering the WAF, requiring more time from the tester.
Testers might be flagged as malicious activity
With cloud-based WAFs (Akamai, Cloudflare, etc), the asset receiving the traffic does not belong to you as the customer. If an agreement is not in place with the WAF provider with an allowlist permitting the traffic, the tester can potentially be flagged for malicious activity even if you have agreed to testing. In some cases this may result in additional costs for you and could even violate certain terms of the agreement between you and the WAF service provider.
Lack of coverage
Some WAFs may block requests to specific paths or filenames, which may prevent testing in certain parts of your application. If some areas are not deeply tested or discovered, this means that potential vulnerabilities could be missed by testers that could otherwise have been easily detected.
Testers may be further inhibited if they are using some simple payloads or polyglots to identify unusual server responses that can lead to vulnerabilities. When WAFs universally block these, it can become difficult for testers to identify key functionality of the application that warrants deeper testing.
Vulnerabilities in the WAF itself
WAF products and services, much like web and desktop applications, can suffer from security vulnerabilities themselves. Bypasses are frequently discovered and shared online, allowing certain types of malicious payloads such as cross-site scripting (XSS) to be used without triggering the WAFs protection.
For cloud-based WAFs, it’s still possible to determine the origin (or “real”) IP address of the web server. A motivated attacker may be able to discover it themselves and launch attacks that you will not be protected from. Keep in mind that malicious actors have unlimited time to spend devising ways to launch attacks and discover vulnerabilities while penetration testers are limited to the time constraints of your contract.
The bottom line is that WAFs and penetration testing do not mix together well. While it may seem that testing against the WAF would replicate the environment that an attacker would be faced with, in reality, the WAF is a hindrance that can limit accuracy and coverage and potentially leave critical issues undiscovered. With enough time, both the tester and an attacker can render it practically useless.
For this reason, we highly recommend that you add your penetration testers to your WAF allowlist prior to testing engagements. Making use of the allowlist ensures that you get accurate, verifiable results and also means that you’ll get more out of testing hours, while still maintaining your protection against outside threats.
When you work with TrustedSite, our team can help you configure your allowlist to permit our full suite of security testing services. If you’re interested in learning more about our penetration testing services, book a meeting here.