The scan results in both Netsparker Enterprise and Netsparker Standard can be exported as rules for WAFs.
Netsparker WAF rule generation can be achieved in two ways:
- Exporting the WAF Rule into a file – in this case, Netsparker creates a rule file
- Creating a WAF rule via the REST API – in this case, Netsparker can connect WAF applications via their Rest endpoints and authenticate them with tokens, and create a rule immediately without any import or export actions
Netsparker currently supports the following web application firewall software:
- Generating Amazon Web Application Firewall Rules from Netsparker Enterprise
- Generating Cloudflare Web Application Firewall Rules from Netsparker Enterprise
- Generating F5 Big-IP Application Security Manager WAF Rules from Netsparker Enterprise
- Generating FortiWeb Web Application Firewall Rules from Netsparker Enterprise
- Generating Imperva SecureSphere Web Application Firewall Rules from Netsparker Enterprise
- Generating ModSecurity Web Application Firewall Rules from Netsparker Enterprise
- Generating Amazon Web Application Firewall Rules from Netsparker Standard
- Generating Cloudflare Web Application Firewall Rules from Netsparker Standard
- Generating F5 Big-IP Application Security Manager WAF Rules from Netsparker Standard
- Generating FortiWeb Web Application Firewall Rules from Netsparker Standard
- Generating Imperva SecureSphere Web Application Firewall Rules from Netsparker Standard
- Generating ModSecurity Web Application Firewall Rules from Netsparker Standard
You can generate Amazon Web Services WAF rules from the Web Application Firewall tab in Netsparker Standard's Options dialog. (With ModSecurity and F5 BIG-IP ASM, rule files can be exported, so they do not have configuration fields.)
But other WAFs are integrated via a Rest API, so Netsparker needs to store connection, authentication or other information to create a WAF rule. This screenshot illustrates sample configuration fields for the AWS WAF.
Vulnerabilities and WAFs
Blocking the identified vulnerability via WAF rule generation only acts as a temporary 'band-aid' applied only at the identified vulnerable point. It is not a proper fix for the issue, but will give you time to find and eliminate the root cause of the vulnerability.
Creating a WAF rule for a Blind SQL Injection is allowed.
Creating a WAF rule for Sitemap Detection is not allowed.
It is not possible to block every vulnerability defined in Netsparker with WAF rules as some vulnerabilities may not be supported by WAFs (for example, DOM XSS cannot be blocked using a WAF). Also, some WAF rules may not have the corresponding filters to check what the vulnerable are (e.g. request body, custom headers). When that is the case for the selected vulnerability, the WAF rule button will be disabled in Netsparker.
When a custom vulnerability is being added to the Report Policy, Firewall Compatible input should be checked to determine whether the vulnerability is a WAF Rule generation compatible one.
How Netsparker Creates Rules for Vulnerabilities
Since vulnerable payloads can be used in different locations such as cookies, query strings and XML bodies for example, proper rule creation is critical. While integrating WAFs, Netsparker focused on creating rules to block only vulnerable requests. For this reason, Regex patterns are used for each vulnerability or vulnerability family. But Regex patterns may sometimes not be possible, or in some cases they may have limited use for WAFs.
For Regex pattern usage details, see the WAF document links listed above.
Where it is not possible to use Regexes, Netsparker creates rules containing the HTTP Method and Request URL. But this causes requests that do not have vulnerable inputs to be blocked. So vulnerable endpoints should be fixed as soon as possible and the WAF rule should be removed so as not to block every user.
WAF rules that do not have Regex patterns may block the requests that do not contain vulnerable inputs.
How Netsparker Creates WAF Rules Automatically
WAF Rule factories can be automatically triggered when a vulnerability is found. Web Application Firewalls can be configured to trigger only for certain vulnerability Severity Levels, or only for confirmed vulnerabilities rather than for possible vulnerabilities.
Once the Web Application Firewall is configured, users can then configure Auto WAF Rules.
This topic will explain how to configure Auto WAF Rule in Netsparker Standard.
Automatic WAF Rule Fields
This table lists and explains the fields in the Automatic WAF RUles section.
Web Application Firewall
This is a Web Application Firewall that is configured in the Options dialog.
This is the vulnerability severity level dropdown:
Select to create rules only for confirmed vulnerabilities.
How to Configure the Auto WAF Rules in Netsparker Standard
- Open Netsparker Standard.
- In the Home tab, click Scan Policy Editor. The Scan Policy Editor dialog is displayed.
- Click the Auto WAF Rules tab. The Automatic WAF Rules section is displayed.
Auto WAF Rules cannot be configured for built-in policies. Either create a new policy or clone an existing one.
- Click into the Web Application Firewall list, and from the dropdown, select an item.
- From the Severities dropdown, select one or more levels.
- If required, enable the Only Confirmed checkbox.
- Click OK.