[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

From: "Rafal @ IsHackingYou" <rafal@xxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Date: Mon, 7 Jul 2008 23:03:04 -0500

Jeremiah - although I typically agree with your thought process, here I would have to say that these features you're describing would ordinarily be configurable, in any device that's worth its weight in soot anyway, so that may be a little sketchy. Although... on the other side of that coin... a lot of administrators are plugging and forgetting so... this may still be valid but we'd have to recognize it would be valid on a subset of the whole... worth the time if someone wants to build it. Sadly, I wish I had the time...

__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal@xxxxxxxxxxxxxxxx
Direct:  +1 (404) 606-6056
- gPGP:    0xFFC63B33
- Blog:    http://preachsecurity.blogspot.com
- Web:     http://www.ishackingyou.com
- LinkedIn:http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Jeremiah Grossman" <jeremiah@xxxxxxxxxxxxxxx>
Sent: Monday, July 07, 2008 6:25 PM
To: "Achim" <kirke12@xxxxxxxxxxxx>
Cc: "WASC Forum" <websecurity@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

On Jul 7, 2008, at 3:56 PM, Achim wrote:
!! Anyone want to make an open source WAF fingerprinter? :) Now would be a great !! time!

LOL which WAF cannot be identified by it's cookie --which are most likely not changed in the configuration, (un)fortunatelly?
  1. ModSecurity (as it doesn't use cookies ;-)
  2. ..
  ..
There should be a few ways in addition to cookies actually.
Some of them encrypt or sign cookies, perhaps that could be fingerprinted if a consistent format could be identified. They also might respond consistently with particular malformed requests differently than a web server would. Response codes, length, or even an HTML error message. Some of them also scrub particular data types in the response like internal IPs, credit card numbers, etc. With a content spoofing vuln, these might be injected on the fly to see if they magically vanish.
Just a few ideas. The tough part is getting a test-bed.
Jeremiah-
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Jeremiah Grossman

References:
- RE: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ernest Mueller
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Jeremiah Grossman
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Achim
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Jeremiah Grossman

Prev by Date: Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by Date: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by thread: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site