[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Re: [Webappsec] [WEB SECURITY] Re: Comparisons of Web Application Firewalls
- From: Jim Manico <jim@xxxxxxxxxx>
- Subject: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] Re: Comparisons of Web Application Firewalls
- Date: Mon, 07 Jul 2008 05:48:02 -1000
--------------080907010006040904060000
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Matt Presson wrote a brief and concise article on POSIX-style input
validation for internationalized applications that might be worth reviewing.
http://coding-insecurity.blogspot.com/2008/05/whitelist-input-validation-where-it.html
- Jim
> Although I think WAFs do have an important role especially when confronted
> by a mass of untrained/indifferent IT programmers tossing stuff on a Web
> site (as in our case), I'd like to note that Martin brings out one severe
> problem below - multiple locale support.
>
> All of the security community "whitelisting is a best practice" business
> pretty much hasn't kept up with the times; our site is available in eight
> languages fully and has parts in others, including dual-byte and
> "backwards" like Arabic and Hebrew. Every time some security guy does a
> presentation at us that starts off with "regexps to include [a-zA-Z1-9]" I
> think to myself "bah" and tune them out the rest of the time.
>
> So note to WAF vendors, and people working on things like
> Stinger/mod_security, the problem has become much more complex and your
> products are only useful to the degree they don't lag behind how people are
> using the Web nowadays.
>
> Frankly, though I believe in the theoretical usefulness of a WAF, we don't
> have one yet. We did one round of evals, where we basically decided to
> pass at the time because nothing was compelling (this was before F5 and
> Netscalar integrated theirs) and then we did another round of evals
> recently, where we also decided to cancel the project and do it again in a
> year hoping that the products would get better. Not naming names, but the
> major dedicated product we evalled crashed all the time and the supplier
> was unable to resolve that, and the other major product that was on a load
> balancer didn't block jack (we tested with Watchfire). We decided with
> the PCI push on our security money this year could more effectively be
> spent in other areas.
>
> Which is sad because we'd really like one to work. Our site has more than
> a hundred Web applications on it. We work to harden the more important
> ones, but no one is willing to take the time to manually characterize
> inputs etc. on the lesser ones especially the 50% of apps that are not
> under active feature development.
>
> Ernest
> ______________________
> UN-altered REPRODUCTION and DISSEMINATION of
> this IMPORTANT information is ENCOURAGED.
>
>
>
>
> "Martin O'Neal"
> <martin.oneal@cor
> saire.com> To
> Sent by: "Arian J. Evans"
> webappsec-bounces <arian.evans@anachronic.com>
> @lists.owasp.org cc
> "webappsec @OWASP"
> <webappsec@lists.owasp.org>,
> 07/07/2008 05:28 websecurity@webappsec.org
> AM Subject
> Re: [Webappsec] [WEB SECURITY] Re:
> Comparisons of Web Application
> Firewalls
>
>
>
>
>
>
>
>
>
>
>
>
>> Actually, statistically speaking:
>> we do know the problem exists Martin.
>>
>
> LOL; that's not what I meant! Because of where a WAF sits in the mix,
> the only tool it has at its disposal is data validation. Which means
> that when you apply it to the most emotive web app issues of the day,
> SQL injection and XSS (which are encoding failures, not validation
> failures) it is trying to solve a problem that simply doesn't exist.
>
> A WAF can actually be very good at enforcing validation, when validation
> is the problem. For example an application that fails creatively when
> its session ID is tampered with. The session ID should be a
> predictable, consistent format; safe territory for a WAF.
>
> But (and it is a big BUTT) a WAF is generally not so useful for general
> form fields in a site, where the usecase requires a non-alphanumeric
> character set, like a name field. Add in multi-locale support etc, and
> I would put money on it that (like my recent F5 project), it won't be
> long before you have to cripple the user experience to stop the attack
> you are trying to prevent.
>
>
>> Now Martin, I have to go shoot off some
>> guns and fireworks and celebrate my
>> freedom from those oppressive Brits! :)
>>
>
> LOL2; we're much more reserved in our celebrations (being stuffy brits),
> but trust me; it is a landmark occasion for us too. :)
>
> Martin...
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited. If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER: Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-746700
>
> _______________________________________________
> Webappsec mailing list
> Webappsec@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec
>
>
> _______________________________________________
> Webappsec mailing list
> Webappsec@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/webappsec
>
--
Jim Manico, Senior Application Security Engineer
jim.manico@aspectsecurity.com | jim@manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com
---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008
--------------080907010006040904060000
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Matt Presson wrote a brief and concise article on <span
style="font-family: georgia; font-size: 85%;">POSIX-style </span>input
validation for internationalized applications that might be worth
reviewing.<br>
<br>
<a class="moz-txt-link-freetext" href="http://coding-insecurity.blogspot.com/2008/05/whitelist-input-validation-where-it.html";>http://coding-insecurity.blogspot.com/2008/05/whitelist-input-validation-where-it.html</a><br>
<br>
- Jim<br>
<blockquote
cite="OF4C18E9E0.3DE495F1-ON8625747F.0053527E-8625747F.0055135F@ni.com"">mid:OF4C18E9E0.3DE495F1-ON8625747F.0053527E-8625747F.0055135F@ni.com";
type="cite">
<pre wrap="">Although I think WAFs do have an important role especially when confronted
by a mass of untrained/indifferent IT programmers tossing stuff on a Web
site (as in our case), I'd like to note that Martin brings out one severe
problem below - multiple locale support.
All of the security community "whitelisting is a best practice" business
pretty much hasn't kept up with the times; our site is available in eight
languages fully and has parts in others, including dual-byte and
"backwards" like Arabic and Hebrew. Every time some security guy does a
presentation at us that starts off with "regexps to include [a-zA-Z1-9]" I
think to myself "bah" and tune them out the rest of the time.
So note to WAF vendors, and people working on things like
Stinger/mod_security, the problem has become much more complex and your
products are only useful to the degree they don't lag behind how people are
using the Web nowadays.
Frankly, though I believe in the theoretical usefulness of a WAF, we don't
have one yet. We did one round of evals, where we basically decided to
pass at the time because nothing was compelling (this was before F5 and
Netscalar integrated theirs) and then we did another round of evals
recently, where we also decided to cancel the project and do it again in a
year hoping that the products would get better. Not naming names, but the
major dedicated product we evalled crashed all the time and the supplier
was unable to resolve that, and the other major product that was on a load
balancer didn't block jack (we tested with Watchfire). We decided with
the PCI push on our security money this year could more effectively be
spent in other areas.
Which is sad because we'd really like one to work. Our site has more than
a hundred Web applications on it. We work to harden the more important
ones, but no one is willing to take the time to manually characterize
inputs etc. on the lesser ones especially the 50% of apps that are not
under active feature development.
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.
"Martin O'Neal"
<a class="moz-txt-link-rfc2396E" href="mailto:martin.oneal@corsaire.com";><martin.oneal@cor
saire.com></a> To
Sent by: "Arian J. Evans"
webappsec-bounces <a class="moz-txt-link-rfc2396E" href="mailto:arian.evans@anachronic.com";><arian.evans@anachronic.com></a>
@lists.owasp.org cc
"webappsec @OWASP"
<a class="moz-txt-link-rfc2396E" href="mailto:webappsec@lists.owasp.org";><webappsec@lists.owasp.org></a>,
07/07/2008 05:28 <a class="moz-txt-link-abbreviated" href="mailto:websecurity@webappsec.org";>websecurity@webappsec.org</a>
AM Subject
Re: [Webappsec] [WEB SECURITY] Re:
Comparisons of Web Application
Firewalls
</pre>
<blockquote type="cite">
<pre wrap="">Actually, statistically speaking:
we do know the problem exists Martin.
</pre>
</blockquote>
<pre wrap=""><!---->
LOL; that's not what I meant! Because of where a WAF sits in the mix,
the only tool it has at its disposal is data validation. Which means
that when you apply it to the most emotive web app issues of the day,
SQL injection and XSS (which are encoding failures, not validation
failures) it is trying to solve a problem that simply doesn't exist.
A WAF can actually be very good at enforcing validation, when validation
is the problem. For example an application that fails creatively when
its session ID is tampered with. The session ID should be a
predictable, consistent format; safe territory for a WAF.
But (and it is a big BUTT) a WAF is generally not so useful for general
form fields in a site, where the usecase requires a non-alphanumeric
character set, like a name field. Add in multi-locale support etc, and
I would put money on it that (like my recent F5 project), it won't be
long before you have to cripple the user experience to stop the attack
you are trying to prevent.
</pre>
<blockquote type="cite">
<pre wrap="">Now Martin, I have to go shoot off some
guns and fireworks and celebrate my
freedom from those oppressive Brits! :)
</pre>
</blockquote>
<pre wrap=""><!---->
LOL2; we're much more reserved in our celebrations (being stuffy brits),
but trust me; it is a landmark occasion for us too. :)
Martin...
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700
_______________________________________________
Webappsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Webappsec@lists.owasp.org";>Webappsec@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/webappsec";>https://lists.owasp.org/mailman/listinfo/webappsec</a>
_______________________________________________
Webappsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Webappsec@lists.owasp.org";>Webappsec@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/webappsec";>https://lists.owasp.org/mailman/listinfo/webappsec</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Jim Manico, Senior Application Security Engineer
<a class="moz-txt-link-abbreviated" href="mailto:jim.manico@aspectsecurity.com";>jim.manico@aspectsecurity.com</a> | <a class="moz-txt-link-abbreviated" href="mailto:jim@manico.net";>jim@manico.net</a>
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your applications at the source
<a class="moz-txt-link-freetext" href="http://www.aspectsecurity.com";>http://www.aspectsecurity.com</a>
---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
<a class="moz-txt-link-freetext" href="http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference";>http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference</a>
Sept 22nd-25th 2008
</pre>
</body>
</html>
--------------080907010006040904060000--
Brought to you by http://www.webappsec.org
Search this site
|