Imperva Cyber Community

 View Only

Advanced Web Security Policies – Fundamentals of On-Prem WAF Part 5

By Ira Miga posted 07-21-2022 07:19


Advanced Web Security Policies –
Fundamentals of On-Prem WAF Part 5


A web application firewall (WAF) is a web-based security appliance that helps protect servers and websites from malicious web applications. It is a web application security solution that analyzes the content of the requests, examines their headers and responses, and then makes decisions on whether or not to allow them through.

There are several different advanced web policies that you can use to protect your website from being attacked when you're building a web application firewall.

In this post, we will examine the different types of policies that can be used with Imperva On-Premises WAF. We will start by discussing Web service-level policies where we talk about HTTP protocol validation policy, then move on to discuss Web Application-Level Policies where we talk about Web Worm policies and Anti-Scraping policies.

WAF protection Layers


As we discussed last time, there are various types of web security policies. Our first step in understanding advanced web security policies is illustrating the WAF protection layers with a simple illustration.

Using the defense model illustrated below, we can see the different protection layers within WAF.



These layers are:

  • Protocol Validation: Filters HTTP protocol violations and attacks that take advantage of the HTTP protocol. For example, an attempt to make a buffer overflow with an abnormally large header of an HTTP request.
  • Web Services (Attack Signatures): Identifies known application, platform, and network attacks. Imperva On-Prem WAF has a database of over 6500 signatures that is regularly updated by the experts at the Application Defense Center (ADC).
  • Data Leak Prevention: Detects sensitive data such as credit card data, or personally identifiable information, as it is exiting the Web site. Often this is legitimate, but sometimes it represents data leakage. On-Prem WAF can observe sensitive data exiting the application and administrators can ensure that it’s a legitimate usage of the data.
  • Application Profile: On-Prem WAF compares the actual usage of the application to the expected usage in the model to identify suspicious occurrences or suspicious user behavior.
  • Web Worm Detection: Imperva On-Prem WAF uses advanced algorithms to stop Zero-day Web application attacks.
  • Correlation Engine: event correlation and automated baselining provide On-Prem WAF with strong vertical integration and data analysis using the Correlated Attack Verification engine.

Advanced Web policies

Web application firewalls (WAFs) are an important part of your organization's security strategy. However, there is a growing need for organizations to be able to ensure that their web applications are protected from external threats, as well as from other internal sources. At Imperva, we've spent the past decade helping our customers build advanced web policies to meet these challenges.

Advanced web policies are a set of rules that provide administrators with the ability to protect websites from threats. In addition, the advanced web policy can be used to restrict access and limit access to specific resources.

Some of these policies can be used to block some types of traffic, while others can be used to allow certain types of traffic by default—for example, allowing only HTTPS connections by default.

1.    Web Service-Level Policies

Web service-level policies are used to define the behavior and interaction of a web service (or application) with its clients. An example of this policy is the HTTP protocol validation policy.

HTTP Protocol Validation Policy

Purpose: Validates a proper use of the HTTP protocol according to the RFC standard.

Prevents Protocol exploits such as

  • Buffer Overflow
  • Malicious encoding
  • HTTP smuggling
  • Illegal server operations

Imperva provides a default policy that enables strict adherence to RFC standards while allowing minor variations for specific applications.

Before the validation, Imperva On-Premises WAF normalizes the URL to provide a common basis for validation.

This includes decoding, conversion to UTF8, conversion to lower-case (if the service is configured as case insensitive), directory normalization, and so on.

The HTTP protocol validation policy provides protection against evasion techniques, such as encoding attempts.

At the service level, stopping the evasion technique is very critical.

In the case where malicious traffic is not blocked at the service level, Imperva's On-Premises WAF policies cannot provide protection as protection is evaded.

From: Main > Policies > Security, Select the HTTP/1.x Protocol Policy from the policies list view.

  • Notice expanding rules provides additional configuration parameters and information
  • Each “rule” can be enabled or disabled

2.    Web Application-Level Policies

Web Application-Level Policies are a collection of rules that are applied to all web applications within your organization. These policies look at the content of web applications and can either block malicious content or whitelist it.


Application Server Vulnerabilities:

  • Sensitive data transmitted in clear text by the application
  • Use of authentication method to the database, resulting in clear text credentials
  • Lack of transport or application layer encryption
  • Insecure network-hardware administrative interfaces
  • Weak perimeter network and firewall configurations
  • Superfluous ports open on the internal firewall
  • Lack of IPSec policies to restrict host connectivity
  • Unnecessary active services
  • Unnecessary protocols
  • Weak account and password policies
  • Unpatched servers
  • Running unnecessary services
  • Unnecessary filters and extensions

Under this category, we would look at two major policies

  1. Webworm protection layer policy
  2. Anti-scraping policy


Webworms are a type of malicious software that infects Internet hosts and spreads via email, peer-to-peer file sharing programs, and other methods.

A webworm utilizes a web server vulnerability to spread to a large number of web servers in a short time.

Some webworms utilize well-known vulnerabilities.

These worms can be easily stopped using the signature layer, as a signature for that attack probably already exists.

The real problem is with worms that utilize unknown vulnerabilities, i.e., vulnerabilities that were not published before the outbreak of the worm.

Advanced policy: Web Worm Policy

The Imperva On-Premises WAF webworms protection layer was implemented for this type of worm with no signature to identify them.

The webworms mechanism relies on Imperva On-Premises WAF’s ability to build a profile of allowed URLs on each web server.

The assumption is that webworms spread by sending a URL.

The vulnerabilities used by the worm should exist on a large number of web servers, for example, all IIS 6 servers, for the worm to spread massively.

Thus the worm must use a URL that exists on many web servers.

Only default URLs (URLs that exist by default when you install a web server or a common application on a web server) meet that criteria.

Using its learning and profiling capabilities, Imperva On-Premises WAF automatically learns the names of all default files which are being accessed by users on the protected web server.

A pre-configured list of directories (e.g. /, /scripts/, /cgi-bin/) instructs Imperva On-Premises WAF where default files are usually located.

Once the profile is ready, Imperva On-Premises WAF blocks any attempt to access a non-profiled URL on a default directory.

This way, if for example, a new worm uses an unknown vulnerability by sending an HTTP request for a URL to /scripts/page.aspx and this URL is not part of the learned profile, Imperva On-Premises WAF blocks the request, thus blocking the worm itself.

Before blocking, Imperva On-Premises WAF verifies that the request has no legitimate host value and no legitimate session ID.

The rate of false positives (i.e., blocking legitimate URLs that are part of the application) is very low as this feature only works on default directories, which are rarely used by web applications to store files.

The Web Worm policy is applied to web applications by default. Each web application can have exactly one Web Worm policy associated with it.

The rule is enabled by default and its default action is Block and the default severity is High.

From Main > Policies > Security, Select the Web Worm Policy.

When a susceptible folder (usually an executable folder) from the Susceptible Folder List is accessed, Imperva On-Premises WAF will Block if this access contains suspicious elements (for instance, an un-profiled host header).

Web Worm policy blocks Web access to the standard Web application folders, which are different for each Web server, such as Apache, IIS, and so on, on the assumption that legitimate Web users have no valid need to access these folders.

Protection is applied by 5 criteria, The 2 most important:

  1. Connections to un-profiled or blank HTTP host header
  2. Connections to a known vulnerable server directory

Website Scraping

Scraping is in simple terms the extracting of information from a website.

Website scraping is often used in market research or business intelligence applications to extract helpful market information about competitors.

A scraper site is a spam website that copies all of its content from other websites using web scraping. The purpose of creating such a site can be to collect advertising revenue or to manipulate search engine rankings by linking to other sites to improve their search engine ranking.

Advanced policy: Anti-Scraping Policy

Identifies attempts to “scrape” information from the customer's website, often used to gain business intelligence and pricing information.

In addition to standard policy parameters including Action, Followed Action, and Severity, the Anti Scraping policy uses several additional parameters that can be configured. These parameters correlate with each other to determine when scraping is taking place.

These items include:

  • Context: of the connection. Whether a single IP Address, Session, or User
  • Period of time: in seconds, and
  • Number of URLs: unique URLs that are being accessed within this context and time frame

If all of these thresholds are met, the policy is violated and an alert is generated.

From Main> Policies > Security




Imperva On-Premises WAF provides simple policies that are easy to configure, as well as advanced ones that are detailed and intricate. The advanced policies give you a high level of control over your web applications.

Related links:

Types of Web Security Policies - Fundamentals of On-Prem WAF Part 4

Application Hierarchy: Server Group, Service, Application - Fundamentals of On-Prem WAF - Part 3

SSL certificates and Ciphers - Fundamentals of On-Prem WAF - Part 2

Fundamentals of On-Premise WAF - Blog Series Pt1