Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

On Jul 7, 2008, at 3:56 PM, Achim wrote:

> !! Anyone want to make an open source WAF fingerprinter? :) Now  
> would be a great
> !! time!
>
> LOL
> which WAF cannot be identified by it's cookie --which are most  
> likely not
> changed in the configuration, (un)fortunatelly?
>
>   1. ModSecurity (as it doesn't use cookies ;-)
>   2. ..
>   ..



There should be a few ways in addition to cookies actually.

Some of them encrypt or sign cookies, perhaps that could be  
fingerprinted if a consistent format could be identified. They also  
might respond consistently with particular malformed requests  
differently than a web server would. Response codes, length, or even  
an HTML error message. Some of them also scrub particular data types  
in the response like internal IPs, credit card numbers, etc. With a  
content spoofing vuln, these might be injected on the fly to see if  
they magically vanish.

Just a few ideas. The tough part is getting a test-bed.

Jeremiah-

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA