Web Application Firewalls
The scan results in Acunetix 360 can be exported as rules for WAFs.
Acunetix 360 WAF rule generation can be achieved in two ways:
- Exporting the WAF Rule into a file – in this case, Acunetix 360 creates a rule file
- Creating a WAF rule via the REST API – in this case, Acunetix 360 can connect WAF applications via their REST API endpoints and authenticate them with tokens, and create a rule immediately without any import or export actions
Acunetix 360 currently supports the following web application firewall software:
- Generating F5 Big-IP Application Security Manager WAF Rules from Acunetix 360
- Generating ModSecurity WAF Rules from Acunetix 360
Vulnerabilities and WAFs
Blocking the identified vulnerability via WAF rule generation only acts as a temporary 'band-aid' applied only at the identified vulnerable point. It is not a proper fix for the issue, but will give you time to find and eliminate the root cause of the vulnerability.
Creating a WAF rule for a Blind SQL Injection is allowed.
Creating a WAF rule for Sitemap Detection is not allowed.
It is not possible to block every vulnerability defined in Acunetix 360 with WAF rules as some vulnerabilities may not be supported by WAFs (for example, DOM XSS cannot be blocked using a WAF). Also, some WAF rules may not have the corresponding filters to check what the vulnerable are (e.g. request body, custom headers). When that is the case for the selected vulnerability, the WAF rule button will be disabled in Acunetix 360.
When a custom vulnerability is being added to the Report Policy, Firewall Compatible input should be checked to determine whether the vulnerability is a WAF Rule generation compatible one.
How Acunetix 360 Creates Rules for Vulnerabilities
Since vulnerable payloads can be used in different locations such as cookies, query strings, and XML bodies, proper rule creation is critical. While integrating WAFs, Acunetix 360 focused on creating rules to block only vulnerable requests. For this reason, RegEx patterns are used for each vulnerability or vulnerability family. But RegEx patterns may sometimes not be possible, or in some cases, they may have limited use for WAFs.
For RegEx pattern usage details, see the WAF document links listed above.
Where it is not possible to use RegExes, Acunetix 360 creates rules containing the HTTP Method and Request URL. But this causes requests that do not have vulnerable inputs to be blocked. So vulnerable endpoints should be fixed as soon as possible and the WAF rule should be removed so as not to block every user.
WAF rules that do not have RegEx patterns may block the requests that do not contain vulnerable inputs.
How Acunetix 360 Creates WAF Rules Automatically
WAF Rule factories can be automatically triggered when a vulnerability is found. Web Application Firewalls can be configured to trigger only for certain Vulnerability Severity Levels, or only for confirmed vulnerabilities rather than for possible vulnerabilities.
Once the Web Application Firewall is configured, users can then configure Auto WAF Rules.