Security services like GoDaddy’s Sucuri Security not only often do a bad job at providing security, but they can also introduce other problems for those using them. One reoccurring issue we have run into is that these services have attached caching to cloud based website application firewalls (WAFs) that aren’t compatible with some of the websites using them.
That recently came up while we were working on a Zen Cart upgrade, where in addition to us having problems working in the admin area of the website, it was mentioned that people were unable to complete the checkout process and having items disappear from their shopping cart.
The people running the website didn’t have any idea of what was causing the problems, which isn’t a unique in this situation. It also is understandable, since there isn’t anything visible that would point to caching causing a problem and, and as was the case here, people running the websites often don’t even know that the caching was enabled.
In this case, it involved Sucuri Security’s WAF, which had put on to the website through another GoDaddy company, Media Temple.
Sucuri Security markets the caching as benefit of using their service, though it could be explained as much by it lowering their costs.
While they claim it is “Built for all platforms”, the reality is that it can cause serious problems. Sucuri Security could help to avoid that by not implementing it by default as they do and also implementing basic checking to make sure that it doesn’t get implemented on a website in a way that is known to not be compatible with the software running on it.
I have caught and addressed such problems with sucuri firewall. Ultimately, WAF (Web Application Firewall) /Firewall need to configured with exceptions to fit the use case and should be based on platform it’s going to cater to. I think the issue is not one sided. It’s multifaceted. One example, E-commerce platforms are typically using PUT and DELETE http method for cart relations API calls and functions. If you follow OWASP framework or other web application security guidelines, you will find out that PUT and DELETE method could be used for malicious intent making web applications vulnerable to attacks. By default, an WAF or other security platforms would allow GET and POST HTTP methods. If there is legitimate need to service other HTTP verbs like PUT and DELETE, they should be configured to allow in the WAF.
What you are describing is a rather poorly developed WAF. You should find a better solution, instead of having to add exceptions that shouldn’t be needed in the first place. But that is not really relevant to the issue here, since the problem had do with caching implemented by the WAF, not the WAF itself.