Web Application FirewallWAF (웹 애플리케이션 방화벽)

# ModSecurity + OWASP Core Rule Set (CRS)
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On

# SQL Injection 탐지 (CRS 규칙 예시)
SecRule ARGS "@detectSQLi"     "id:942100,    phase:2,    block,    msg:'SQL Injection Attack Detected',    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',    severity:'CRITICAL'"

# XSS 탐지
SecRule ARGS "@detectXSS"     "id:941100,    phase:2,    block,    msg:'XSS Attack Detected'"

resource "aws_wafv2_web_acl" "main" {
  name  = "production-waf"
  scope = "REGIONAL"

  default_action { allow {} }

  # AWS 관리형 규칙: 일반 위협
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 1
    override_action { none {} }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "CommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  # 속도 제한 (Rate Limiting)
  rule {
    name     = "RateLimit"
    priority = 2
    action { block {} }
    statement {
      rate_based_statement {
        limit              = 2000  # 5분간 IP당 최대 요청
        aggregate_key_type = "IP"
      }
    }
    visibility_config { ... }
  }
}

우회 기법:
- 인코딩 변형: URL 인코딩, Unicode, Base64
  (%27 → ' / ' → ')
- 대소문자 혼용: sElEcT * fRoM users
- 주석 삽입: SELECT/**/password/**/FROM users
- HTTP 파라미터 오염(HPP): ?id=1&id=1 UNION SELECT

대응:
- 정규화(Normalization) 후 검사
- 다층 디코딩 처리
- 양/음성 로직 병행 (허용목록 + 차단목록)
- 행동 기반 분석 (ML WAF)