Configuring Web Application Firewalls

Acunetix scan results can be used to configure your Web Application Firewall (WAF) to address identified vulnerabilities. Acunetix provides built-in functionality to generate export files compatible with various WAF solutions, as well as generic formats like CSV and XML. For more information, refer to Exporting Scan Results to WAFs.


This document explains the process for configuring WAF settings in Acunetix and how to configure least permissions with AWS. It also provides instructions for sending vulnerability data to your WAF and how to create key pairs in AWS.

How to configure WAF settings

  1. Select WAFs from the left-side menu.
  2. Click + Add WAF.

  1. Fill in the following fields:
  • Name: Enter a name to describe the WAF.
  • Platform: Select AWS.
  • Scope: Select Cloudfront for global applications, or Regional for regional applications. If Regional is set, you also need to select the Region.
  • Access Key ID and Secret Access Key: Enter your access key ID/secret access key (refer to How to create key pairs at the end of this document).
  • ACL Id: Enter your AWS Web ACL ID.
  • ACL Name: Enter the name of your AWS Web ACL.
  • Proxy Type: Select from the following options:
  • Application Proxy Settings: Use the web proxy settings configured in your Acunetix Settings.
  • No Proxy: Do not use a web proxy.
  • Custom: Use custom proxy settings only for this WAF configuration. You will need to set the Address and Port where the proxy server is listening. If the proxy server requires authentication, you will also need to set the username and password.
  1. Select Save.

How to configure least permissions with AWS

To configure least privilege permissions in AWS for the given actions (WAFv2), you can follow the principle of least privilege to ensure that users or roles only have the permissions they need.

You’ll want to create a policy that includes only the necessary permissions for WAFv2:

  • wafv2:UpdateWebACL
  • wafv2:GetWebACL
  • wafv2:CreateRegexPatternSet

 

You can read detailed references for each permission in the AWS documentation linked below:

  • UpdateWebACL  Allows updating an existing Web ACL, such as modifying rules or conditions.
  • GetWebACL — Grants the ability to retrieve information about a specified Web ACL.
  • CreateRegexPatternSet  Grants permission to create a Regex Pattern Set used for advanced match conditions in WAFv2.

Here's an example of an IAM policy that grants only those permissions:

IAM POLICY

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "VisualEditor0",

           "Effect": "Allow",

           "Action": [

               "wafv2:UpdateWebACL",

               "wafv2:GetWebACL",

               "wafv2:CreateRegexPatternSet"

           ],

           "Resource": "*"

       }

   ]

}

Sending vulnerability data to your WAF

To mitigate vulnerabilities found during your scanning activities, you can upload the required information to your WAF directly.

  1. Select Vulnerabilities from the left-side menu.
  2. Use the checkboxes next to each vulnerability to select those you wish to mitigate.
  3. Select Export to and choose the WAF configuration you created earlier.

The export begins automatically.

How to create key pairs in AWS

You can create the key pairs in your AWS account by following these steps:

  1. Login to your AWS account.
  2. Click on your profile name and select My Security Credentials.

  1. Expand the Access keys panel, then click Create New Access Key.

  1. Select Show Access Key.

  1. Take note of the Access Key ID and the Secret Access Key.

 

« Back to the Acunetix Support Page