.
An origin server is the endpoint where HTTP requests are ultimately directed to retrieve resources necessary for browsing a site or submitting data to perform actions, such as registering or updating a user's profile.
In modern web architectures, particularly those utilizing a Content Delivery Network (CDN), there is a clear distinction between origin servers (which host the original content) and edge servers (which cache and serve content closer to end users).
When a site is onboarded to the cWAF, an additional layer is introduced. The WAF is now positioned between the user and the origin server, inspecting incoming traffic for security threats. Every request passes through the WAF, where it is analyzed for potential violations, such as SQLi queries, XSS patterns, and other attack vectors. If the WAF detects suspicious or malicious traffic, it logs a security event that details the triggered attack vector.
.
Potential Threat and Mitigation
A major security risk arises when the origin server is exposed and can be accessed directly, as traffic essentially bypasses the WAF. In such scenarios, even if a request is clearly attempting to exploit a vulnerability, it will go unnoticed as it never passes through the WAF. This leaves the origin server open to direct attacks, effectively undermining the cWAF protection.
To prevent this, if you find your origin server is exposed, you can contact our Support Team for guidance on how to properly restrict access and ensure that all traffic is routed through the WAF.
.
Example use case
Let’s say a customer reports an XSS bypass, claiming that an attacker was able to access sensitive data without being blocked. An engineer investigates the issue and, after a thorough review, discovers that the origin server is not restricted. This means that traffic is not necessarily routed through the WAF, and the attack may have been a direct attempt on the origin server, which was outside the WAF's scope.
Before implementing any local security rules or further mitigation, the primary recommendation would be to restrict the origin server, ensuring that future traffic passes through the WAF. This way, malicious or suspicious requests would be logged as security events for further analysis.
#CloudWAF(formerlyIncapsula)