Blog | G5 Cyber Security

WAF Detection of Malicious HTML & PHP

G5 Cyber Security

TL;DR

Yes, a Web Application Firewall (WAF) can block or detect crafted HTML files and obfuscated PHP scripts/shells. The effectiveness depends on the WAF’s ruleset, configuration, and the sophistication of the attack. This guide explains how to improve detection.

Detecting Malicious HTML

  1. Understand Common Attacks: Crafted HTML often uses techniques like:
    • Cross-Site Scripting (XSS): Injecting malicious JavaScript into trusted websites.
    • HTML Injection: Altering the website’s structure or content.
    • Phishing: Creating fake login forms to steal credentials.
  2. WAF Rules for HTML: Configure your WAF with rules that look for:
    • Suspicious Tags: <script>, <iframe>, <object>, <embed>. Be careful, legitimate uses exist!
    • Event Handlers: onload, onerror, onclick. Again, be cautious about false positives.
    • Encoded Characters: HTML entities like <, >, which might hide malicious code.
    • External Resources: Links to untrusted domains or files.
  3. Example WAF Rule (ModSecurity): 
    SecRule REQUEST_URI "@rx HTML_TAGS" "id:100,phase:2,t:lowercase,deny,msg:'Detected suspicious HTML tags'"

    (This is a simplified example; adjust the HTML_TAGS regex to your needs.)

  4. Content Security Policy (CSP): Implement CSP headers to control which resources the browser is allowed to load. This significantly reduces XSS risks. 
    Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.example.com;

Detecting Obfuscated PHP

  1. Understand Common Obfuscation Techniques: PHP code can be hidden using:
    • Base64 Encoding: Converting the code into a base64 string.
    • String Concatenation: Splitting strings and joining them at runtime.
    • Variable Substitution: Using variables to represent parts of the code.
    • Encryption/Compression: Encrypting or compressing the code before execution.
  2. WAF Rules for PHP: Configure your WAF with rules that look for:
    • Base64 Decoded Strings: Detect patterns of base64 encoded data within PHP files.
    • Suspicious Function Calls: eval(), exec(), system(), shell_exec(). These are often used in shells.
    • String Concatenation Patterns: Look for multiple string literals being joined together.
    • File Uploads with PHP Extensions: Carefully inspect uploaded files with .php extensions.
  3. Example WAF Rule (ModSecurity): 
    SecRule REQUEST_URI "@rx base64_pattern" "id:200,phase:2,t:lowercase,deny,msg:'Detected potential base64 encoded PHP'"

    (Replace base64_pattern with a suitable regular expression.)

  4. File Type Validation: Ensure that files uploaded as .php are actually valid PHP code. Don’t rely solely on the file extension.
  5. Sandboxing/Virtualization: For high-risk scenarios, consider running untrusted PHP code in a sandboxed environment to limit its potential damage.

Improving Detection Accuracy

  1. Regular Updates: Keep your WAF ruleset updated with the latest threat intelligence.
  2. False Positive Tuning: Carefully review and tune your WAF rules to minimize false positives (legitimate traffic being blocked).
  3. Behavioral Analysis: Some advanced WAFs use behavioral analysis to detect anomalous activity, even if it doesn’t match specific signatures.
  4. cyber security Monitoring & Logging: Enable detailed logging and monitoring of your WAF events to identify potential attacks.
Exit mobile version