[WEB SECURITY] Re: [Webappsec] [WEB SECURITY] Re: Comparisons of Web Application Firewalls

[Jim Manico <jim@xxxxxxxxxx>]

--------------000001080104060302090607
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

 >  The session ID should be a predictable, consistent format; safe 
territory for a WAF.

Be careful here - a session id should be /*un*/predictable and random. I 
agree that the format is normally consistent.

- Jim

>> Actually, statistically speaking: 
>> we do know the problem exists Martin.
>>     
>
> LOL; that's not what I meant!  Because of where a WAF sits in the mix,
> the only tool it has at its disposal is data validation.  Which means
> that when you apply it to the most emotive web app issues of the day,
> SQL injection and XSS (which are encoding failures, not validation
> failures) it is trying to solve a problem that simply doesn't exist.
>
> A WAF can actually be very good at enforcing validation, when validation
> is the problem.  For example an application that fails creatively when
> its session ID is tampered with.  The session ID should be a
> predictable, consistent format; safe territory for a WAF.
>
> But (and it is a big BUTT) a WAF is generally not so useful for general
> form fields in a site, where the usecase requires a non-alphanumeric
> character set, like a name field.  Add in multi-locale support etc, and
> I would put money on it that (like my recent F5 project), it won't be
> long before you have to cripple the user experience to stop the attack
> you are trying to prevent.  
>
>   
>> Now Martin, I have to go shoot off some
>> guns and fireworks and celebrate my
>> freedom from those oppressive Brits! :)
>>     
>
> LOL2; we're much more reserved in our celebrations (being stuffy brits),
> but trust me; it is a landmark occasion for us too. :)
>
> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-746700
>
> _______________________________________________
> Webappsec mailing list
> Webappsec@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec
>   
-- 
Jim Manico, Senior Application Security Engineer
jim.manico@aspectsecurity.com | jim@manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  
Sept 22nd-25th 2008



--------------000001080104060302090607
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
&gt;  The session ID should be a predictable, consistent format; safe
territory for a WAF.<br>
<br>
Be careful here - a session id should be <i><b>un</b></i>predictable
and random. I agree that the format is normally consistent.<br>
<br>
- Jim<br>
<br>
<blockquote
 cite="mid:4871efd8.0a86460a.762e.ffff9facSMTPIN_ADDED@mx.google.com";
 type="cite">
  <blockquote type="cite">
    <pre wrap="">Actually, statistically speaking: 
we do know the problem exists Martin.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
LOL; that's not what I meant!  Because of where a WAF sits in the mix,
the only tool it has at its disposal is data validation.  Which means
that when you apply it to the most emotive web app issues of the day,
SQL injection and XSS (which are encoding failures, not validation
failures) it is trying to solve a problem that simply doesn't exist.

A WAF can actually be very good at enforcing validation, when validation
is the problem.  For example an application that fails creatively when
its session ID is tampered with.  The session ID should be a
predictable, consistent format; safe territory for a WAF.

But (and it is a big BUTT) a WAF is generally not so useful for general
form fields in a site, where the usecase requires a non-alphanumeric
character set, like a name field.  Add in multi-locale support etc, and
I would put money on it that (like my recent F5 project), it won't be
long before you have to cripple the user experience to stop the attack
you are trying to prevent.  

  </pre>
  <blockquote type="cite">
    <pre wrap="">Now Martin, I have to go shoot off some
guns and fireworks and celebrate my
freedom from those oppressive Brits! :)
    </pre>
  </blockquote>
  <pre wrap=""><!---->
LOL2; we're much more reserved in our celebrations (being stuffy brits),
but trust me; it is a landmark occasion for us too. :)

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700

_______________________________________________
Webappsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Webappsec@lists.owasp.org";>Webappsec@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/webappsec";>https://lists.owasp.org/mailman/listinfo/webappsec</a>
  </pre>
</blockquote>
<pre class="moz-signature" cols="72">-- 
Jim Manico, Senior Application Security Engineer
<a class="moz-txt-link-abbreviated" href="mailto:jim.manico@aspectsecurity.com";>jim.manico@aspectsecurity.com</a> | <a class="moz-txt-link-abbreviated" href="mailto:jim@manico.net";>jim@manico.net</a>
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
<a class="moz-txt-link-freetext" href="http://www.aspectsecurity.com";>http://www.aspectsecurity.com</a>

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
<a class="moz-txt-link-freetext" href="http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference";>http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference</a>  
Sept 22nd-25th 2008

</pre>
</body>
</html>

--------------000001080104060302090607--