Secure Your Application Using WAF

Configure Protection Rules

You can secure the application with rules to block Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks.

To configure protection rules:

Sign in to the Oracle Cloud Infrastructure console.
Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.
Click Protection Rules.
A table is displayed with predefined protection rules.
Use the RULE ID filter and select rules 941140 and 981300.
The rule details are displayed on the right.
Select each rule and click Block from the Actions drop-down menu.

Description of the illustration waf-protection-rules.png
Click Publish All.
Publishing changes on the WAF policy may take several minutes.

Verify Protection Rules

To verify whether the protection rules are working:

Open the Network tab from your browser's Developer Tools page.
Access the sample employee application, http://employee.<example.com>/public/, from your browser.
Click New Employee and fill the form with any sample information.
Enter the following SQL Injection in the First Name field:
```
SomeUser; DROP TABLE users
```
With the browser's Network tab open, click Save on the New Employee form.
The POST to /employees is blocked with 403 Forbidden.

Run the following cURL command:

curl -X POST http://${WAF_TARGET}/employees \ 
-H 'host: employee.example.com' \ 
-d '{"firstName":"Name; DROP TABLE users"}'

The command returns a 403 error.

Run a GET request by attempting Cross Site Scripting (XSS) in the query parameters on your browser address bar:
http://employee.<example.com>/employees/?id=%3Cscript%3Ealert(%27bad%27)%3C/script%3Ein
The browser returns the following:

Description of the illustration waf-forbidden.png

The preceding steps trigger the WAF Block action several times. Now, return to the WAF policy details in the Oracle Cloud Infrastructure console to inspect the logs.

Open the Employee Demo Policy.
Click Logs.
Select a date/time range that spans the time when you attempted the SQLi and XSS attacks.
Identify the items with Action: Block, expand the row details on a blocked request, and then click View JSON.
View the messages listed as protectionRuleDetections and other request details.

Use Bot Management

Another feature of the Oracle Cloud Infrastructure Web Application Firewall (WAF) service is its Bot management capabilities.

In many cases, non-human traffic constitutes the largest percentage of traffic to a site. While certain "good" Bots are favorable, other "bad" Bots may attempt content scraping, spamming, brute force attacks, or application layer DDoS attacks.

For example, you may want to whitelist certain well-known Bots for Search Engine Optimization (SEO) and content ranking purposes, but limit verification of a human user for certain interactions. This type of scenario is easily accomplished with the WAF policy Bot management settings.

Add a CAPTCHA Challenge

One of the salient features of Bot management is CAPTCHA. The use of CAPTCHA provides a simple means of user verification that ensure human interaction, without requiring any changes to the underlying application.

To add a CAPTCHA challenge:

Oracle Cloud Infrastructure console.
Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.
Open Employee Demo Policy and click Bot Management.
Click the CAPTCHA Challenge tab and then click Add CAPTCHA Challenge.
Enter /public/index.html as the value in the CAPTCHA URL Path field.
Leave the defaults in the remaining fields as is.
Click Add and then click Publish All.
After the changes are published and the WAF policy resumes in the ACTIVE state, load the page, http://employee.<example.com>/public/index.html, from your browser.
The browser displays the following CAPTCHA challenge:

Description of the illustration waf-captcha.png

After entering the correct code, you enter the website without any further challenges for a period corresponding to the Session Duration value in the challenge configuration.

Add an Access Control Rule

WAF access control provides an additional layer of security by restricting or blocking access to the data and services available within an application.

With access control, you can define rules based on request conditions including:

HTTP headers
URL patterns
IP addresses
Geolocation

In the sample Employee application, you've the ability to delete employee details from the database. You may need to restrict the use of the Delete feature for security purpose. You can create and apply an access rule to block the delete requests.

To add an access control rule:

Oracle Cloud Infrastructure console.
Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.
Open Employee Demo Policy and click Access Control.
Click Add Access Rule.
Enter a rule name, such as Prevent Delete.
Add the following rule conditions:
- HTTP Method is: DELETE
- URL starts with: /employees
Select the Block rule action, and then select 403 Forbidden (default option) as the Set Response Code (Block Action).

Description of the illustration waf-access-rule.png
Click Add Access Rule to create the rule, and then click Publish All.

After the changes are published and the WAF policy resumes in the ACTIVE state:

Open the Network tab from your browser's Developer Tools page.
Access the sample employee application, http://employee.<example.com>/public/, from your browser.
Select an employee record, and then click the Delete button.

In the Network tab of your broswer Developer Tools section, you'll notice that WAF has intercepted this request and blocked it with a 403 Forbidden response.

The features of Oracle Cloud Infrastructure WAF discussed in this solution focus on securing a basic example application. The usage scenarios will be unique to each application, and you can configure WAF accordingly.