[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

From: Achim <kirke12@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Date: Tue, 8 Jul 2008 02:18:35 +0200 (MEST)

--503980562-739234076-1215476315=:28149
Content-Type: TEXT/PLAIN; charset=US-ASCII


Jeremiah, just thought that it is rather simple to detect some WAFs,
currently ..
Anyway, a fingerprinter would not be that bad.

How about calling Facundo as his w3af already has a "detectWAF" plugin?

{-: Achim

On Mon, 7 Jul 2008, Jeremiah Grossman wrote:
!! 
!! On Jul 7, 2008, at 3:56 PM, Achim wrote:
!! 
!! >
!! >!! Anyone want to make an open source WAF fingerprinter? :) Now would be a
!! >great
!! >!! time!
!! >
!! >LOL
!! >which WAF cannot be identified by it's cookie --which are most likely not
!! >changed in the configuration, (un)fortunatelly?
!! >
!! >  1. ModSecurity (as it doesn't use cookies ;-)
!! >  2. ..
!! >  ..
!! >
!! >
!! 
!! There should be a few ways in addition to cookies actually.
!! 
!! Some of them encrypt or sign cookies, perhaps that could be fingerprinted if
!! a consistent format could be identified. They also might respond consistently
!! with particular malformed requests differently than a web server would.
!! Response codes, length, or even an HTML error message. Some of them also
!! scrub particular data types in the response like internal IPs, credit card
!! numbers, etc. With a content spoofing vuln, these might be injected on the
!! fly to see if they magically vanish.
!! 
!! Just a few ideas. The tough part is getting a test-bed.
!! 
!! Jeremiah-
--503980562-739234076-1215476315=:28149
Content-Type: APPLICATION/octet-stream; name=1.
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.64.0807080218350.28149@tonga.securenet.de>
Content-Description: 
Content-Disposition: attachment; filename=1.



--503980562-739234076-1215476315=:28149
Content-Type: text/plain; charset=us-ascii

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--503980562-739234076-1215476315=:28149--

Follow-Ups:
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Facundo Batista

References:
- RE: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ernest Mueller
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Jeremiah Grossman
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Achim
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Jeremiah Grossman

Prev by Date: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by Date: Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by thread: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site