Why Penetration Testers Should Bypass WAF for Comprehensive Security Testing

When conducting a penetration test, one of the primary goals is to identify and exploit vulnerabilities in a system. However, web application firewalls (WAFs) can often obscure the true security posture of a web application. While WAFs are designed to protect web applications by filtering and monitoring HTTP traffic, they can also create a false sense of security. Here we will explore why penetration testers should not be testing web applications with a WAF enabled to ensure a comprehensive security assessment.

A WAF is a security solution that protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet. WAFs can prevent attacks such as SQL injection, cross-site scripting (XSS) and other common web exploits. However, they are not foolproof and can be bypassed by skilled attackers with unlimited time.

WAFs can give organizations the illusion that their web applications are secure. While WAFs can block many common attacks, they are not a substitute for secure coding practices and thorough security testing. Relying solely on a WAF can lead to complacency and a false sense of security, leaving underlying vulnerabilities unaddressed.

Over the years I have worked as a penetration tester, I have heard customers say they do not want to whitelist us and ask for something similar to a real-world test countless times. The problem with a penetration test vs. a real-world test boils down to time and cost.

In the "real world,” malicious hackers have unlimited time, and you pay nothing (until you get breached, of course). If a malicious hacker encounters a WAF, they have all the time they need to find a bypass. They need to find only one attack vector to be successful.

During a penetration test, time is severely limited. The scoping process seeks to find a happy medium between providing enough time to thoroughly test the application, and a price that is acceptable to the customer. The goal is to thoroughly test the application, find as many vulnerabilities as possible and provide a report with actionable remediation advice. If pentesters had the time advantage available to the malicious hacker, the price of the pentest would be astronomical.

During a time-boxed penetration test, testers have to balance the requirement to do a thorough job against taking the time to dive deep on any one issue. If we submit a time-based SQL injection payload and notice a difference in the response time, we dive deeper to discover if the issue is exploitable and what is exposed. If we are going head-to-head with a WAF then we end up spending so much time trying to bypass it to enumerate this one issue that we sacrifice the time needed to test all the other parts of the application. This time sink results in losing the ability to test everything and could lead to other issues being overlooked.

At CDW, we use the Open Worldwide Application Security Project (OWASP) Application Security Verification Standard (ASVS) Level 1 as our standard for what constitutes a thorough web application pentest. We recommend that our engineers are given a WAF bypass initially. This allows us to test thoroughly without losing precious time while staying within the budget of our customers.

Testing with a WAF enabled should be a separate test. Vulnerabilities should be identified first through a thorough penetration test. After the vulnerabilities are remediated, they should be retested. If any finding cannot be remediated or cannot be remediated fast enough to meet a tight schedule, then findings should be retested to ensure that the application is protected.

At CDW we recommend a holistic approach which results in a thorough pentest while keeping costs reasonable. Initially our pentesters should be whitelisted. Near the end of the testing window, we can notify our customer to enable the WAF or remove the whitelist of our IP address. Then we can quickly retest any critical and high severity findings. In our report we can add context related to the effectiveness of the WAF security control.

In conclusion, while WAFs play a crucial role in protecting web applications, they can obscure the true security posture by giving a false sense of security. To ensure a comprehensive security assessment, it is vital for penetration testers to be whitelisted and test beyond WAF protections. This approach allows them to identify and exploit vulnerabilities thoroughly without the time sink of bypassing WAFs.

By balancing thorough testing with budget constraints and incorporating WAF-enabled retesting, organizations can achieve a holistic view of their security posture and effectively safeguard their web applications.