Skip to main content

Cloud based WAF sucks more than you thought - Privacy?

In my previous post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s diagram here

It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc.
Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Security.
I once told my wife, whenever she needs to provide her personal or credit card information onto any website she should make sure that the target website is using HTTPS and this certifies that the website is secure and it is true upto some extent. Think about any E-Commerce website, that allows you to perform online transactions where you require to fill in tons of your personal information before you perform the transaction.
For the scope of this article, we will use  as a target of reference. Imagine if an end user visit this website and try to book a room over it. Being a user I would think that if the website is using HTTPS, it could be secure and in addition to further make sure, I will check their certificate which also looks fine as below.
A certificate generally represent the ownership, which  are actually issued by the certification authorities. 

What does HTTPS technically means?

HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, whereas Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. Or in other terms when a server and client communicate, TLS ensures that eavesdropping may not occur. I won’t go into the technical implementation of HTTPS or TLS as it is beyond the scope of this article. But one can verify the basic information of a website using an encrypted channel by clicking onto HTTPS or the lock symbol in the URL(Uniform Resource Locator) as shown above in the certificate information.
It gives following information :
  • It has been verified from a CA(Certification Authority)
  • Class of certificate
  • Type of encryption used
  • Expiry Date of certificate

Cryptography - Overview
For a brief understanding, I would like to give a small overview of cryptography. In cryptography, PKI (Public Key Infrastructure) is used to generate the public key certificates. The idea of the algorithm is based on two keys, public and the private key which are mathematically related to each other in a very complex way. Content encrypted by the sender’s private key can only be decrypted by its corresponding public key. On this basis receiver of the content can authenticate the sender by knowing that it has been sent by proper source and vice-versa.
But in any certificate, point to consider is who has issued the certificate  and against whom. There are only a handful of major CAs (Symantec, Comodo, GoDaddy etc) that accounts for almost all the issued certificates on web. So it is quite easy to trust the CAs if it is one of them.

Considering the technical implementation of HTTPS, I would assume that eavesdropping will be impossible where HTTPS is implemented, until and unless we have the private key to decrypt the entire traffic.
I noticed that this website is using HTTPS and after checking the certificate, I felt relaxed too that it must be secure and no one can see my data in transit, though they have clearly mentioned on their website that "Sucuri Verified Site". But it doesn’t mean that they can decrypt my data and can verify what’s in there.
For the testing I started with throwing some random string in their search bar, I just used a probe string mentioned by Ashar Javed Probe Stringbut all special characters were properly escaped. After crawling for some other input fields, I reached their account login page which required email and password to login. I went on to fuzzing the login page with some random values
Username : b”c<,
Password : start123
with the first payload, I have got a response that, "Please enter a valid email address. For example", with the second payload, I have got the same response back as "Invalid login or password". Now only for testing, I have tried to test the password field with some malicious characters  with a valid email address and this time I entered  null into the password field and out of my surprise I was landed onto Sucuri’s page.

Starting with a brief description, application is generally running either on an application server or a web server, depending on how it has been implemented. Now in order to raise the security, Sucuri WAF has been used but as the HTTPS has been implemented therefore Sucuri WAF has to sniff in the traffic to verify, "what could be an attack or legitimate traffic". Idea here is that the attacks should be blocked and the legit traffic shall pass through. We will not talk about the false positives here :)
Now in order properly function, Sucuri WAF should have the private key of the certificate so that it can decrypt the traffic or can eavesdrop in.
This means when I have entered the  null into password field which was even invisible to me, Sucuri has decrypted the password and identified it was a possible attack.

Few question have been arises in my mind here?
  • Imagine someone sitting behind Sucuri WAF monitoring the traffic, can see everything in clear text what is coming in
  • What about privacy of information as it is being transferred to third party
  • What about data protection laws
  • As there is no more European Safe Harbor, what about the European Clients that are using Sucuri WAF
  • Do website user's knows where their data is flowing on Web

One of the European Client where the traffic is going into the Sucuri's Cloud in Canada.
I have just used to sniff the traffic in order to identify where exactly it is going and the result was as follows:
As you can see in the above image traffic is going to a domain called "". Now you can use any of the publicly available DNS lookup tools to identify the IP. I personally like as I generally use it for other purpose as well therefore I have used it and the result was as follows: 
As now we have the IP we can use any of the e.g. "WHOIS" application to identify to whom it belongs to, I have used the inbuilt WHOIS in Linux and the result was as follows:
It is clearly visible here that the IP and the Domain belongs to Sucuri located in Canada.
Note:There are plenty of other applications as well who are using Sucuri WAF and their data is going outside EU but for the sake of the this article, I have only mentioned one out of many.


Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…

Cloud based WAF against cyber attacks?

Target :
Alexa Global Rank : 427 Rank in India : 31 I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best. Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF? Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed. These factors evolves a new business model  "Cloud Based WAF" Why Cloud based WAF? Easy to affordMitigate risks onto third partyEasy to maintainCompliance & Governance

Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a piz…