WAFBOOSTER: Automatic Boosting of WAF Security Against Mutated Malicious Payloads
Cong Wu, Jing Chen, Simeng Zhu, Wenqi Feng, Ruiying Du, Yang Xiang
TL;DR
Web application firewalls face increasingly mutated payloads that bypass defenses. WAFBooster introduces a black-box, learning-based framework built around a shadow model, a GRU-based payload generator, a Levenshtein-based payload corrector, and a regex-based signature producer to automatically expose bypasses and reinforce WAF rules. Across eight real-world WAFs and three attack types, it raises the true rejection rate of mutated payloads from about $21%$ to $96%$ with zero false rejections, while reducing false acceptances relative to state-of-the-art mutations. The approach is attack-agnostic, scalable, and yields practical enhancements in WAF robustness against evolving threats.
Abstract
Web application firewall (WAF) examines malicious traffic to and from a web application via a set of security rules. It plays a significant role in securing Web applications against web attacks. However, as web attacks grow in sophistication, it is becoming increasingly difficult for WAFs to block the mutated malicious payloads designed to bypass their defenses. In response to this critical security issue, we have developed a novel learning-based framework called WAFBOOSTER, designed to unveil potential bypasses in WAF detections and suggest rules to fortify their security. Using a combination of shadow models and payload generation techniques, we can identify malicious payloads and remove or modify them as needed. WAFBOOSTER generates signatures for these malicious payloads using advanced clustering and regular expression matching techniques to repair any security gaps we uncover. In our comprehensive evaluation of eight real-world WAFs, WAFBOOSTER improved the true rejection rate of mutated malicious payloads from 21% to 96%, with no false rejections. WAFBOOSTER achieves a false acceptance rate 3X lower than state-of-the-art methods for generating malicious payloads. With WAFBOOSTER, we have taken a step forward in securing web applications against the ever-evolving threats.
