RE: [WEB SECURITY] Re: [Webappsec] Comparisons of Web Application Firewalls

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> Actually, statistically speaking: 
> we do know the problem exists Martin.

LOL; that's not what I meant!  Because of where a WAF sits in the mix,
the only tool it has at its disposal is data validation.  Which means
that when you apply it to the most emotive web app issues of the day,
SQL injection and XSS (which are encoding failures, not validation
failures) it is trying to solve a problem that simply doesn't exist.

A WAF can actually be very good at enforcing validation, when validation
is the problem.  For example an application that fails creatively when
its session ID is tampered with.  The session ID should be a
predictable, consistent format; safe territory for a WAF.

But (and it is a big BUTT) a WAF is generally not so useful for general
form fields in a site, where the usecase requires a non-alphanumeric
character set, like a name field.  Add in multi-locale support etc, and
I would put money on it that (like my recent F5 project), it won't be
long before you have to cripple the user experience to stop the attack
you are trying to prevent.  

> Now Martin, I have to go shoot off some
> guns and fireworks and celebrate my
> freedom from those oppressive Brits! :)

LOL2; we're much more reserved in our celebrations (being stuffy brits),
but trust me; it is a landmark occasion for us too. :)

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA