[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

From: "Sebastien Deleersnyder" <seba@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Date: Sun, 13 Jul 2008 20:34:52 +0200
------=_NextPart_000_0015_01C8E527.E77B1E70
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi Ofer,

 

That was too quick of me below: only if in transparent bridge & non-blocking
it would be undetectable.

 

If it blocks you can probably come up with differentiating type of
attacks/probes that would fingerprint the WAF.

This will probably work best if the 'default' negative model is active.

 

Regards

 

Seba

 

  _____  

From: Ofer Shezaf [mailto:ofers@Breach.com] 
Sent: zondag 13 juli 2008 10:38
To: 'Sebastien Deleersnyder'; 'Licky Lindsay'; 'Brian Shura'
Cc: 'Jeremiah Grossman'; 'WASC Forum'
Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

 

Hi Seba,

 

Probably just the wrong moment to step in when competition is discussed, but
two quick notes:

* I assume you meant it is deployed as a transparent bridge. Being inline
does not imply transparent, and is usually more detectable than out-of-line.

* Anything that blocks can be detected, as no two blocking devices would
block exactly the same.

 

~ Ofer

 

From: Sebastien Deleersnyder [mailto:seba@deleersnyder.eu] 
Sent: Saturday, July 12, 2008 9:34 AM
To: Licky Lindsay; Brian Shura
Cc: Jeremiah Grossman; WASC Forum
Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

 

Lindsay,

As it is mostly deployed inline, there is no way of detecting Imperva.

Regards

Seba

-----Original Message-----
From: Licky Lindsay [mailto:noontar@gmail.com]
Sent: woensdag 9 juli 2008 15:42
To: Brian Shura
Cc: Jeremiah Grossman; WASC Forum
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

On Mon, Jul 7, 2008 at 9:40 PM, Brian Shura <bshura@sbcglobal.net> wrote:
> W3AF has a plug-in called "detectWAF" that tries to fingerprint WAFs.
>
> It currently attempts to detect URLScan, ModSecurity, and SecureIIS.
>
> http://w3af.sourceforge.net/pluginDesc.php#detectWAF
>

Does anybody know what specifically to look for as indicator that
Imperva is being used?

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: 9/07/2008
6:50


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.10/1549 - Release Date: 12/07/2008
16:31



------=_NextPart_000_0015_01C8E527.E77B1E70
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
 xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";
xmlns:ns0=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/";
xmlns:ns1=3D"http://schemas.openxmlformats.org/markup-compatibility/2006"=

xmlns:ns2=3D"http://schemas.microsoft.com/office/2004/12/omml";
xmlns:ns3=3D"http://schemas.openxmlformats.org/package/2006/relationships=
"
xmlns:ns4=3D"http://schemas.microsoft.com/exchange/services/2006/types";
xmlns:ns5=3D"http://schemas.microsoft.com/exchange/services/2006/messages=
"
xmlns:ns6=3D"urn:schemas-microsoft-com:">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>RE: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls</title>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--a:link
	{mso-style-priority:99;}
span.MSOHYPERLINK
	{mso-style-priority:99;}
a:visited
	{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
	{mso-style-priority:99;}
p
	{mso-style-priority:99;}
p.MSOLISTPARAGRAPH
	{mso-style-priority:34;}
li.MSOLISTPARAGRAPH
	{mso-style-priority:34;}
div.MSOLISTPARAGRAPH
	{mso-style-priority:34;}

 /* Font Definitions */
 @font-face
	{font-family:Batang;
	panose-1:2 3 6 0 0 1 1 1 1 1;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:"\@Batang";
	panose-1:0 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman";}
p.msolistparagraph, li.msolistparagraph, div.msolistparagraph
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:Calibri;
	color:#1F497D;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DNL link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi =
Ofer,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>That was too quick of me below: =
only if in
transparent bridge &amp; non-blocking it would be =
undetectable.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If it blocks you can probably come =
up with
differentiating type of attacks/probes that would fingerprint the =
WAF.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>This will probably work best if the
'default' negative model is active.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Regards<o:p></o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Seba<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</spa=
n></font></b><font
size=3D2 face=3DTahoma><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:Tahoma'>
Ofer Shezaf [mailto:ofers@Breach.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> zondag 13 juli 2008 =
10:38<br>
<b><span style=3D'font-weight:bold'>To:</span></b> <st1:PersonName =
w:st=3D"on">'Sebastien
 Deleersnyder'</st1:PersonName>; 'Licky Lindsay'; 'Brian Shura'<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> 'Jeremiah Grossman'; =
'WASC
Forum'<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [WEB =
SECURITY] Re:
Comparisons of Web ApplicationFirewalls</span></font><span =
lang=3DEN-US><o:p></o:p></span></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi =
Seba,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p>&nbsp;<=
/o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>Probably =
just the
wrong moment to step in when competition is discussed, but two quick =
notes:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>* I assume =
you meant
it is deployed as a transparent bridge. Being inline does not imply
transparent, and is usually more detectable than =
out-of-line.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>* Anything =
that
blocks can be detected, as no two blocking devices would block exactly =
the
same.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p>&nbsp;<=
/o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>~ =
Ofer<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D2 color=3D"#1f497d" =
face=3DCalibri><span lang=3DEN-US
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p>&nbsp;<=
/o:p></span></font></p>

<div>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</spa=
n></font></b><font
size=3D2 face=3DTahoma><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:Tahoma'>
Sebastien Deleersnyder [mailto:seba@deleersnyder.eu] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Saturday, July 12, =
2008 9:34
AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Licky Lindsay; Brian =
Shura<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> Jeremiah Grossman; =
WASC Forum<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [WEB =
SECURITY] Re:
Comparisons of Web ApplicationFirewalls<o:p></o:p></span></font></p>

</div>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p style=3D'margin-bottom:12.0pt'><font size=3D2 face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:10.0pt'>Lindsay,<br>
<br>
As it is mostly deployed inline, there is no way of detecting =
Imperva.<br>
<br>
Regards<br>
<br>
Seba<br>
<br>
-----Original Message-----<br>
From: Licky Lindsay [<a =
href=3D"mailto:noontar@gmail.com";>mailto:noontar@gmail.com</a>]<br>
Sent: woensdag 9 juli 2008 15:42<br>
To: Brian Shura<br>
Cc: Jeremiah Grossman; WASC Forum<br>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls<br>
<br>
On Mon, Jul 7, 2008 at 9:40 PM, Brian Shura &lt;bshura@sbcglobal.net&gt; =
wrote:<br>
&gt; W3AF has a plug-in called &quot;detectWAF&quot; that tries to =
fingerprint
WAFs.<br>
&gt;<br>
&gt; It currently attempts to detect URLScan, ModSecurity, and =
SecureIIS.<br>
&gt;<br>
&gt; <a =
href=3D"http://w3af.sourceforge.net/pluginDesc.php#detectWAF";>http://w3af=
.sourceforge.net/pluginDesc.php#detectWAF</a><br>
&gt;<br>
<br>
Does anybody know what specifically to look for as indicator that<br>
Imperva is being used?<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>
No virus found in this incoming message.<br>
Checked by AVG - <a =
href=3D"http://www.avg.com";>http://www.avg.com</a><br>
Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: =
9/07/2008<br>
6:50<br>
<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</a></span></font><span
lang=3DEN-US><o:p></o:p></span></p>

</div>

</body>

</html>
<P><FONT SIZE=3D2 FACE=3D"Arial">No virus found in this incoming =
message.<BR>
Checked by AVG - http://www.avg.com<BR>
Version: 8.0.138 / Virus Database: 270.4.10/1549 - Release Date: =
12/07/2008 16:31<BR>
</FONT></P>
------=_NextPart_000_0015_01C8E527.E77B1E70--
References:
- RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ofer Shezaf
Prev by Date: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by Date: Re: [WEB SECURITY] what are the rules for SSNs?
Previous by thread: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by thread: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site