Understanding AWS’s Web Application Firewall for Server Protection

Amazon Web Services's (AWS) Web Application Firewall (WAF) is a firewall that helps protect your web applications (or APIs) against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives RebelMouse developers control over how traffic reaches our applications by enabling us to create security rules that block common attack patterns, such as SQL injections or cross-site scripting (XSS), and rules that filter out specific traffic patterns we have defined. These rules are regularly updated when new issues emerge as well.

With AWS WAF, we're making sure that all our sites are covered against some of the most common attacks, as defined by The Open Web Application Security Project (OWASP). The project is an online community that creates freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Possible Common Attacks

Injections: Injection flaws allow attackers to relay malicious code through an application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to back-end databases via SQL (e.g., SQL injection). Whole scripts written in Perl, Python, and other languages can be injected into poorly designed applications and executed. Any time an application uses an interpreter of any type, there is a danger of introducing an injection vulnerability.

For example, if somebody tries to inject some JavaScript into your site, we can block this automatically to avoid the insert.

Protection for Cross-Site Scripting: Cross-site scripting flaws occur when web applications include user-provided data in webpages that are sent to the browser without proper sanitization. If the data isn't properly validated or escaped, an attacker can use these vectors to embed scripts, inline frames (iframes), or other objects into the rendered page. These, in turn, can be used for a variety of malicious purposes, including stealing user credentials by using keyloggers, to install system malware. The impact of the attack is magnified if that user data persists server side in a data store, and then is delivered to a large set of other users.

Consider the example of a common, but popular, blog that accepts user comments. If user comments aren't correctly sanitized, a malicious user can embed a malicious script in the comments, such as:

The code then gets executed anytime a legitimate user loads that blog article.

Broken Access Control: This category of application flaw covers the lack of, or improper enforcement of, restrictions on what authenticated users are allowed to do. AWS WAF can filter dangerous HTTP request patterns that can indicate path traversal attempts, or remote and local file inclusion (RFI/LFI). AWS WAF validates if HTTP request components contain ../ or ://.

This helps us avoid malicious attackers exploiting vulnerabilities, including when a user can access some resource or perform some action that they are not supposed to be able to access.

How AWS WAF Protects Our Servers From Attacks

Insufficient Attack Protection: AWS WAF enforces a level of hygiene for inbound HTTP requests. Size constraint conditions help to build rules that ensure that components of HTTP requests fall within specifically defined ranges. We can use these rules to avoid processing abnormal requests. An example is to limit the size of URIs or query strings to values that make sense to our application.

In our case, we're limiting the URI and QUERY_STRING bytes.

Using Components With Known Vulnerabilities: AWS WAF filters and blocks HTTP requests to the functionality of components that are not in use in applications. This helps reduce the attack surface of those components if vulnerabilities are discovered in functionality you're not using.

AWS WAF matches URIs to filenames that end with:

  • .cfg
  • .conf
  • .config
  • .ini
  • .log
  • .bak
  • .backup

The HTTP request component:

  • URI

We're setting up a mechanism to mitigate known vulnerabilities in components that addresses the lifecycle of such components. We identify and track the dependencies of our application, as well as the dependencies of the underlying components. This way, we can monitor the processes in place to track the security of these components.

Robots.txt Crawl-Delay Directive: Aside from the AWS WAF protection mechanisms, we have also included a directive into our default robots.txt files called crawl-delay.

The crawl-delay directive is meant to communicate to crawlers to slow down crawling in order to not overload the web server. On our pages, we have it set to 0.1 seconds. This is the default setting for our robots.txt file. Clients can override the crawl-delay directive in our Layout & Design Tool, and if you have already made manual changes to your file previously, we recommend that you check and add this manually. You can also modify the crawl-delay for you.

Overall, this server protection allows us to automatically block repeated requests to our sites so that we can identify malicious attacks and block them right away. Based on what code is returned, you will be able to tell why the requests were blocked:

  • 429: Too many requests have been made.
  • 406: The status code for OWASP risks.
    • The response message will contain a code that matches a specific type of vulnerability. We use another set of codes to hide our protection logic from public users, but are able to share with you what each one means as needed. The following screenshot shows how this looks:

If you have any questions, please reach out to your account manager or email us at support@rebelmouse.com, and we'll help you solve your particular use case.

Why RebelMouse Is the Best Content Marketing Platform

RebelMouse is a unique platform and company. The company was founded on the vision that media companies would need an always-modern solution to thrive in the new connected internet, and that brands would have to behave like new media companies and use the same platforms.

Keep reading... Show less

Why Premium Creative Agencies and CTOs Choose to Develop on RebelMouse vs. WordPress and Drupal

The Intersection of Design and Development: Where Your Clients Thrive

We started RebelMouse seven years ago knowing that there was a fundamental design flaw in the world of traditional CMSs: Every instance, on every platform, had to be updated independently. It's similar to an era when users had to manage their own Microsoft Exchange Server for email. The costs of managing, maintaining, and iterating on a CMS to keep it awesome and world class is typically a $10 million-a-year endeavor. But even then, these cost-prohibitive CMSs are still behind the times.

Keep reading... Show less

Native Multivariate Testing at Scale With RebelMouse

What Differentiates Our Approach

There are many popular tools that allow you to perform experiments and A/B tests on your users — primarily Google Chrome Experiments and Optimizely. But all of these solutions are JavaScript additions to your web page that sidestep the problem of old, outdated, and clumsy CMSs. These solutions work by calling on a third-party JavaScript library that rewrites a page after it's rendered. This approach adds extra page weight and creates strange user experiences due to having to wait for everything to load and be rewritten on the fly.

At RebelMouse, we've solved this in a very elegant way. At the core level of our platform, we can natively render different layouts and track the exact differences in performance when comparing a test to your other layouts.

Keep reading... Show less

Modern E-Commerce: Blur the Line Between Content and Design

Create Modular + Reusable Design Patterns on RebelMouse

Content saturation is an industry-wide problem, and the e-commerce space is no exception given that it's filled with big brands, small Etsy stores, and everyone in between all fighting for similar audiences. The best way to fight this symptom is to understand your audience and provide them with what they want.

Keep reading... Show less

Instagram-style E-commerce Features on RebelMouse

Revolutionizing e-commerce on RebelMouse

Whether you're a brand with a blog or a media company with a site, driving purchasing behavior and building an audience that uses your content to find things they love to buy is vital. We're very proud to have built out the same functionality that everyone is now used to on Instagram, with layovers on images that lead to products with attribution.

Keep reading... Show less

Building Premium Communities and User Journeys on RebelMouse

RebelMouse is much more than just a replacement for a traditional CMS. Our platform is a tremendous community-building experience. Today's social ecosystem has given us a seemingly limitless number of premium creators who understand how to create gorgeous and relevant content that drives the growth of their own audiences. These creators and influencers are either experts in certain topics, or heavily engaged in targeted content that drives their interests. They're not only consuming the content they're passionate about, but they're contributing to the conversation, too. The new role of the editor is not just to cover the most important topics and people around their expertise, but also to invite those preferred influencers into their community and get them to participate in creating premium content.

Keep reading... Show less

Dynamic Voting: Grow Traffic and Engagement Organically

Help your audience find its voice.

Creating quality content is no longer on marketers alone. We live in a universe of creators who are willing to not only consume content that resonates, but play a role in the creation, promotion, and conversations surrounding it.

Since the start of RebelMouse, we've been on a journey to create dynamic media that is easier for content creators to curate and amplify on social. It's why we've built an online engagement platform centered around the power of communities that thrive naturally in the digital ecosystem.

Keep reading... Show less

How to Monetize Your Website in Today’s Publishing Environment

In order to define distributive publishing, we have to ask the following question: If you have quality content, but nobody sees it, does it even exist? The answer is no, because your content needs to be supported in a way that lets it move seamlessly across all channels, especially site, search, and social. But let's take this question a step further: If you can't monetize your content to generate the support it needs, how do you create quality content in the first place?

Keep reading... Show less

Making Sense of PageSpeed Insights and Core Web Vitals

Page speed and Core Web Vitals are an important piece of the SEO puzzle. Having a quick load time and passing Core Web Vitals are important factors in Google's search ranking and results. But there are multiple ways of testing your speed and vitals, and it can get very confusing to try and understand the results since different measuring tools can result in different scores.

Keep reading... Show less

Reach New Revenue Heights With RebelMouse’s Boost Spot Placement

Authentic sponsored content piques user interest and yields high rewards

Monetization has to be multifaceted. Publishers must deliver a site experience that makes the user a top priority without sacrificing the ability to generate ad revenue. After all, readers are no longer going to put up with irritating ad experiences that slow down their consumption of content. And since publishers can't rely on a few viral moments to make ends meet, successful ad campaigns must feel genuine and produce consistent returns to be effective.

The need for smart, sticky monetization methods is nothing new, but publishers and marketers alike are starting to perfect the modern ad experience better than ever before. This success is due in part to the increased use of sponsored content.

Sponsored content is the creation of content for a brand by a publisher — whether it's an article, video, listicle, or any other dynamic media — that is paid for by the brand. But here's the key: Sponsored content, when done correctly, is a valuable content experience that retains the same voice and integrity of the brand that's sponsoring the placement. This seamless integration into the natural flow of content that the publisher normally creates makes it one of the most effective ways to build site revenue. In fact, 80% of readers believe authentic content is the main factor that will drive them to follow or engage with a brand.

Keep reading... Show less

RebelMouse Q2 2021 Platform Performance Updates

Q2 of 2021 was a big quarter for the open web. Google delayed their release of SEO ranking by CrUX report, and they changed their method for Lighthouse scoring drastically. Our team was a few steps ahead of these changes, and we were able to update our platform so sites in our network had little, if any, performance interruptions.

We invested over 1,592 hours into our platform in Q2 2021 alone, and all of the sites on our platform received the benefits of these updates. To break it down into large buckets, we invested in the following key areas:

  • 538 hours dedicated to new features
  • 725 hours dedicated to improving existing features
  • 329 hours dedicated to performance and infrastructure updates

Here are the major updates that we've added to the RebelMouse platform in Q2.

Keep reading... Show less
Subscribe to Our Newsletter