Cloudflare’s WAF bypass via padding vulnerability showcases a need for depth in coding, not just defense. While a security problem, what businesses can learn here is applicable to all code.
As security problems plague the business world while most of the workforce remains remote, no business is exempt. We’ve seen everything from corporate giants like Google to the healthcare industry be affected by bad actors with malware or a breach attempt. Cloudflare’s WAF is next on the list of platforms to have a vulnerability discovered upon penetration testing. The platform is used globally and is an integral part of many companies’ security measures. However, while this vulnerability via configuration needs to be addressed by businesses who use Cloudflare’s WAF, it actually highlights the need for depth in defense and all coding.
Cloudflare is one of the best security tools you can have in your stack, and it’s inexpensive, even free for the basics to boot. Which is why this vulnerability is a problem, it’s a bypass by padding technique discovered by Swascan, which was doing pen testing at the time. According to Latest Hacking News, “Cloudflare Product Manager, Michael Tremante, advised applying rule 100048 that prevents padding attacks. As per Tremante’s statement to Swascan, “”This bypass can be mitigated by turning on rule 100048. This rule now protects against padding type attacks but it is not deployed by default as it causes a large number of false positives in customer environments. It is, however, important that customers tune their WAF. We are also working on a better longer term solution.””
There are two forms of good news here. One, they have given a way to mitigate the vulnerability until a permanent fix can be made. Turn on the rule and accept the false positives if you can tolerate them. Two, we can take a lesson learned here in security and apply it to other forms of code. Layers matter. Depth is important. One single tool may not be the answer, but combine a few and your business is Fort Knox to hackers.
Think about it, do we, as humans, rely on any one thing for securing the things we care about? Do countries have only one military force? Are military buildings, banks, financial institutions, government buildings, etc. protected by just one layer of security, one lock on one door? No. Most military forces are multi-specialty. Financial institutions have their vaults locked away behind several doors and encased in feet-thick steel rooms. Government buildings require you to go through a security checkpoint before you can enter the building. All of these also have security guards and cameras monitoring activity as well.
We should be applying that same knowledge, that same technique to our business security practices. Not only that, but any software development or project that involves coding has layers. Data flows back and forth from layers, you simply cannot rely on any single tool or system in the stack to protect you or to do the job by itself. Why? Because the project is a chain of items which is only as strong as its weakest link. The weakest link is where things will break down. The bigger the load you put on a single link, the more likely it is to break if there is even one defect in that link. But if you combine that chain with other tools/layers that are all just as strong, the one link won’t have to hold as much on its own and is less likely to break the whole chain if it has a defect.
It is crucial for any organization that uses Cloudflare WAF to enable the rule as described as it could be the difference in having a secure perimeter or suffering a breach, especially if that is the only line of defense. But it is just as crucial for users to understand how to use that tool, why that rule is there, and to learn from this experience. Every piece of code your business produces at every layer should be defending itself, trusting nothing and helping to carry the load of the software without relying on other layers doing work for it. This is especially important in security, but just as important for the proper functionality of any piece of software. And if you need help applying protections, enabling that rule or making sure that your business is properly secured, hire an expert! While you’re at it, have them review your overall security and your other products for security and fragility too.