If your application is hosted on Google Cloud serving internet traffic, consider enabling Cloud Armor. Which provides an extremely simple and easy to use way of protecting your applications against a variety of attack signatures.
While WAF rules and tuning them is beyond the scope of this post in itself If you do not know what rules you need to start with
Deny ( 403)
Allow traffic from a specific region Only , also disallow sensitive paths or specific headers
origin.region_code != '<ONLY REGION YOU WANT TRAFFIC FROM>' || request.path.contains('/<YOUR PATH>') || request.headers.contains('<DISALLOWED HEADERS')
Deny ( 403) — OWASP
evaluatePreconfiguredExpr('xss-stable') &&evaluatePreconfiguredExpr('protocolattack-stable') && evaluatePreconfiguredExpr('sqli-stable') && evaluatePreconfiguredExpr('lfi-stable') && evaluatePreconfiguredExpr('rfi-stable')
Deny (403) — OWASP
evaluatePreconfiguredExpr('sessionfixation-stable') && evaluatePreconfiguredExpr('protocolattack-stable') && evaluatePreconfiguredExpr('scannerdetection-stable')
How do I test the effectiveness of these rules
Some of the popular and easy WAF testing frameworks
docker pull wallarm/gotestwaf
docker run -v ${PWD}/reports:/app/reports --network="host" wallarm/gotestwaf --url=<Your WAF Endpoint>
Generates a report in this format. The Hosted backend is a Hello World Application serving on Flask so Application Secutity
The report generates a folder /reports/xxx.pdf , which on examination reveals that there are a bunch of false positives which got flagged and blocked while it shouldn’t have been . Which is a good place to begin
Tuning the False Positives
Correlate Cloud Armor Logs to WAF Report
Select “Logs” >> “Policy Logs”
Correlate WAF Logs to Test Execution Times
Tune the ModSec paranoia Levels
Each preconfigured rule has a sensitivity level that corresponds to a ModSecurity paranoia level. A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive.
Repeat tests.