This tweet discusses the behavior of Kotak's Web Application Firewall (WAF) and highlights an important discrepancy in its protection coverage. The WAF effectively intercepts requests before they reach the order API, demonstrating that the protection is active and working. However, the tweet points out that the IP whitelist intended to restrict access has not propagated to the order service, implying a configuration or deployment issue.
Additionally, the tweet reveals that login and websocket functionalities bypass the WAF by using different routes, which provide an alternative path that does not go through the full WAF stack. In contrast, order placement requests must go through the entire WAF stack, ensuring deeper inspection and filtering.
This situation illustrates a partial bypass or reduced protection scenario, where certain parts of the application (login and websocket) avoid WAF inspection, potentially exposing vulnerabilities in those components. Meanwhile, the order placement remains fully protected by the WAF. For security practitioners, this highlights the importance of ensuring consistent WAF coverage across all application routes and services to prevent bypasses and maintain comprehensive protection.
Original tweet: https://twitter.com/DH2078_/status/2039262321256898713