[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls

From: "Rafal @ IsHackingYou" <rafal@xxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Date: Sun, 13 Jul 2008 22:05:34 -0500
------=_NextPart_000_00C1_01C8E534.94CF68E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewallsOfer, =
all...

    We're talking about blocking here, when the "intelligent" WAFs will =
silently drop packets - I challenge someone to detect a silent drop of a =
packet traveling across a network device...

__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal@ishackingyou.com
Direct:  +1 (404) 606-6056
 - gPGP:      0xFFC63B33
 - Blog:         http://preachsecurity.blogspot.com
 - LinkedIn:  http://www.linkedin.com/in/rmlos
  From: Ofer Shezaf=20
  Sent: Sunday, July 13, 2008 3:38 AM
  To: 'Sebastien Deleersnyder' ; 'Licky Lindsay' ; 'Brian Shura'=20
  Cc: 'Jeremiah Grossman' ; 'WASC Forum'=20
  Subject: RE: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls


  Hi Seba,

  =20

  Probably just the wrong moment to step in when competition is =
discussed, but two quick notes:

  * I assume you meant it is deployed as a transparent bridge. Being =
inline does not imply transparent, and is usually more detectable than =
out-of-line.

  * Anything that blocks can be detected, as no two blocking devices =
would block exactly the same.

  =20

  ~ Ofer

  =20

  From: Sebastien Deleersnyder [mailto:seba@deleersnyder.eu]=20
  Sent: Saturday, July 12, 2008 9:34 AM
  To: Licky Lindsay; Brian Shura
  Cc: Jeremiah Grossman; WASC Forum
  Subject: RE: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls

  =20

  Lindsay,

  As it is mostly deployed inline, there is no way of detecting Imperva.

  Regards

  Seba

  -----Original Message-----
  From: Licky Lindsay [mailto:noontar@gmail.com]
  Sent: woensdag 9 juli 2008 15:42
  To: Brian Shura
  Cc: Jeremiah Grossman; WASC Forum
  Subject: Re: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls

  On Mon, Jul 7, 2008 at 9:40 PM, Brian Shura <bshura@sbcglobal.net> =
wrote:
  > W3AF has a plug-in called "detectWAF" that tries to fingerprint =
WAFs.
  >
  > It currently attempts to detect URLScan, ModSecurity, and SecureIIS.
  >
  > http://w3af.sourceforge.net/pluginDesc.php#detectWAF
  >

  Does anybody know what specifically to look for as indicator that
  Imperva is being used?

  =
-------------------------------------------------------------------------=
---
  Join us on IRC: irc.freenode.net #webappsec

  Have a question? Search The Web Security Mailing List Archives:
  http://www.webappsec.org/lists/websecurity/archive/

  Subscribe via RSS:
  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

  Join WASC on LinkedIn
  http://www.linkedin.com/e/gis/83336/4B20E4374DBA

  No virus found in this incoming message.
  Checked by AVG - http://www.avg.com
  Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: =
9/07/2008
  6:50


  =
-------------------------------------------------------------------------=
---
  Join us on IRC: irc.freenode.net #webappsec

  Have a question? Search The Web Security Mailing List Archives:
  http://www.webappsec.org/lists/websecurity/archive/

  Subscribe via RSS:
  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

  Join WASC on LinkedIn
  http://www.linkedin.com/e/gis/83336/4B20E4374DBA

------=_NextPart_000_00C1_01C8E534.94CF68E0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v =3D "urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word" xmlns:x =3D=20
"urn:schemas-microsoft-com:office:excel" xmlns:p =3D=20
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =3D=20
"urn:schemas-microsoft-com:office:access" xmlns:dt =3D=20
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =3D=20
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =3D=20
"urn:schemas-microsoft-com:rowset" xmlns:z =3D "#RowsetSchema" xmlns:b =
=3D=20
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =3D=20
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =3D=20
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =3D=20
"urn:schemas-microsoft-com:office:activation" xmlns:html =3D=20
"http://www.w3.org/TR/REC-html40"; xmlns:q =3D=20
"http://schemas.xmlsoap.org/soap/envelope/"; XMLNS:D =3D "DAV:" xmlns:x2 =
=3D=20
"http://schemas.microsoft.com/office/excel/2003/xml"; xmlns:ois =3D=20
"http://schemas.microsoft.com/sharepoint/soap/ois/"; xmlns:dir =3D=20
"http://schemas.microsoft.com/sharepoint/soap/directory/"; xmlns:ds =3D=20
"http://www.w3.org/2000/09/xmldsig#"; xmlns:dsp =3D=20
"http://schemas.microsoft.com/sharepoint/dsp"; xmlns:udc =3D=20
"http://schemas.microsoft.com/data/udc"; xmlns:xsd =3D=20
"http://www.w3.org/2001/XMLSchema"; xmlns:sub =3D=20
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"; xmlns:ec =
=3D=20
"http://www.w3.org/2001/04/xmlenc#"; xmlns:sp =3D=20
"http://schemas.microsoft.com/sharepoint/"; xmlns:sps =3D=20
"http://schemas.microsoft.com/sharepoint/soap/"; xmlns:xsi =3D=20
"http://www.w3.org/2001/XMLSchema-instance"; xmlns:udcxf =3D=20
"http://schemas.microsoft.com/data/udc/xmlfile"; xmlns:wf =3D=20
"http://schemas.microsoft.com/sharepoint/soap/workflow/"; xmlns:mver =3D=20
"http://schemas.openxmlformats.org/markup-compatibility/2006"; xmlns:m =
=3D=20
"http://schemas.microsoft.com/office/2004/12/omml"; xmlns:mrels =3D=20
"http://schemas.openxmlformats.org/package/2006/relationships"; =
xmlns:ex12t =3D=20
"http://schemas.microsoft.com/exchange/services/2006/types"; xmlns:ex12m =
=3D=20
"http://schemas.microsoft.com/exchange/services/2006/messages"; XMLNS:Z =
=3D=20
"urn:schemas-microsoft-com:"><HEAD><TITLE>RE: [WEB SECURITY] Re: =
Comparisons of Web ApplicationFirewalls</TITLE>
<META http-equiv=3DContent-Type =
content=3Dtext/html;charset=3Diso-8859-1>
<META content=3D"MSHTML 6.00.6001.18063" name=3DGENERATOR>
<STYLE>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</STYLE>
</HEAD>
<BODY lang=3DEN-US id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" =
vLink=3Dpurple=20
link=3Dblue bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 =
CanvasTabStop=3D"true"=20
name=3D"Compose message area">
<DIV><FONT face=3DArial size=3D2>Ofer, all...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;&nbsp;&nbsp;&nbsp;<FONT face=3DArial size=3D2>We're talking =
about=20
blocking here, when the "intelligent" WAFs will silently drop packets - =
I=20
challenge someone to detect a silent drop of a packet traveling across a =
network=20
device...</FONT></DIV><STRONG><FONT face=3DTahoma size=3D2>
<DIV><BR>__<BR>Rafal M. Los<BR>IT Security - Response | Mitigation |=20
Strategy</DIV>
<DIV>&nbsp;</DIV>
<DIV>E-mail:&nbsp; <A=20
href=3D"mailto:rafal@ishackingyou.com";>rafal@ishackingyou.com</A><BR>Dire=
ct:&nbsp;=20
+1 (404) 606-6056<BR>&nbsp;- gPGP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0xFFC63B33<BR>&nbsp;- =
Blog:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A=20
href=3D"http://preachsecurity.blogspot.com";>http://preachsecurity.blogspo=
t.com</A><BR>&nbsp;-=20
LinkedIn:&nbsp; <A=20
href=3D"http://www.linkedin.com/in/rmlos";>http://www.linkedin.com/in/rmlo=
s</A></FONT></STRONG></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt Tahoma">
  <DIV style=3D"font-color: black"><B>From:</B> <A =
title=3Dofers@breach.com=20
  href=3D"mailto:ofers@breach.com";>Ofer Shezaf</A> </DIV>
  <DIV><B>Sent:</B> Sunday, July 13, 2008 3:38 AM</DIV>
  <DIV><B>To:</B> <A title=3Dseba@deleersnyder.eu=20
  href=3D"mailto:seba@deleersnyder.eu";>'Sebastien Deleersnyder'</A> ; <A =

  title=3Dnoontar@gmail.com href=3D"mailto:noontar@gmail.com";>'Licky =
Lindsay'</A> ;=20
  <A title=3Dbshura@sbcglobal.net =
href=3D"mailto:bshura@sbcglobal.net";>'Brian=20
  Shura'</A> </DIV>
  <DIV><B>Cc:</B> <A title=3Djeremiah@whitehatsec.com=20
  href=3D"mailto:jeremiah@whitehatsec.com";>'Jeremiah Grossman'</A> ; <A=20
  title=3Dwebsecurity@webappsec.org =
href=3D"mailto:websecurity@webappsec.org";>'WASC=20
  Forum'</A> </DIV>
  <DIV><B>Subject:</B> RE: [WEB SECURITY] Re: Comparisons of Web=20
  ApplicationFirewalls</DIV></DIV>
  <DIV><BR></DIV>
  <DIV class=3DSection1>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'">Hi=20
  Seba,<o:p></o:p></SPAN></P>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'"><o:p>&nbsp;</o:p></SPAN></P>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'">Probably=20
  just the wrong moment to step in when competition is discussed, but =
two quick=20
  notes:<o:p></o:p></SPAN></P>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'">*=20
  I assume you meant it is deployed as a transparent bridge. Being =
inline does=20
  not imply transparent, and is usually more detectable than=20
  out-of-line.<o:p></o:p></SPAN></P>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'">*=20
  Anything that blocks can be detected, as no two blocking devices would =
block=20
  exactly the same.<o:p></o:p></SPAN></P>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'"><o:p>&nbsp;</o:p></SPAN></P>
  <DIV>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'">~=20
  Ofer<o:p></o:p></SPAN></P></DIV>
  <P class=3DMsoNormal><SPAN=20
  style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: =
'Calibri','sans-serif'"><o:p>&nbsp;</o:p></SPAN></P>
  <DIV>
  <DIV=20
  style=3D"BORDER-RIGHT: medium none; PADDING-RIGHT: 0cm; BORDER-TOP: =
#b5c4df 1pt solid; PADDING-LEFT: 0cm; PADDING-BOTTOM: 0cm; BORDER-LEFT: =
medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
  <P class=3DMsoNormal><B><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
'Tahoma','sans-serif'">From:</SPAN></B><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> =
Sebastien=20
  Deleersnyder [mailto:seba@deleersnyder.eu] <BR><B>Sent:</B> Saturday, =
July 12,=20
  2008 9:34 AM<BR><B>To:</B> Licky Lindsay; Brian Shura<BR><B>Cc:</B> =
Jeremiah=20
  Grossman; WASC Forum<BR><B>Subject:</B> RE: [WEB SECURITY] Re: =
Comparisons of=20
  Web ApplicationFirewalls<o:p></o:p></SPAN></P></DIV></DIV>
  <P class=3DMsoNormal><o:p>&nbsp;</o:p></P>
  <P style=3D"MARGIN-BOTTOM: 12pt"><SPAN=20
  style=3D"FONT-SIZE: 10pt">Lindsay,<BR><BR>As it is mostly deployed =
inline, there=20
  is no way of detecting=20
  Imperva.<BR><BR>Regards<BR><BR>Seba<BR><BR>-----Original =
Message-----<BR>From:=20
  Licky Lindsay [<A=20
  =
href=3D"mailto:noontar@gmail.com";>mailto:noontar@gmail.com</A>]<BR>Sent: =

  woensdag 9 juli 2008 15:42<BR>To: Brian Shura<BR>Cc: Jeremiah =
Grossman; WASC=20
  Forum<BR>Subject: Re: [WEB SECURITY] Re: Comparisons of Web=20
  ApplicationFirewalls<BR><BR>On Mon, Jul 7, 2008 at 9:40 PM, Brian =
Shura=20
  &lt;bshura@sbcglobal.net&gt; wrote:<BR>&gt; W3AF has a plug-in called=20
  "detectWAF" that tries to fingerprint WAFs.<BR>&gt;<BR>&gt; It =
currently=20
  attempts to detect URLScan, ModSecurity, and =
SecureIIS.<BR>&gt;<BR>&gt; <A=20
  =
href=3D"http://w3af.sourceforge.net/pluginDesc.php#detectWAF";>http://w3af=
.sourceforge.net/pluginDesc.php#detectWAF</A><BR>&gt;<BR><BR>Does=20
  anybody know what specifically to look for as indicator =
that<BR>Imperva is=20
  being=20
  =
used?<BR><BR>------------------------------------------------------------=
----------------<BR>Join=20
  us on IRC: irc.freenode.net #webappsec<BR><BR>Have a question? Search =
The Web=20
  Security Mailing List Archives:<BR><A=20
  =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><BR>Subscribe=20
  via RSS:<BR><A=20
  =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A>=20
  [RSS Feed]<BR><BR>Join WASC on LinkedIn<BR><A=20
  =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A><BR><BR>No=20
  virus found in this incoming message.<BR>Checked by AVG - <A=20
  href=3D"http://www.avg.com";>http://www.avg.com</A><BR>Version: 8.0.138 =
/ Virus=20
  Database: 270.4.7/1542 - Release Date:=20
  =
9/07/2008<BR>6:50<BR><BR><BR>--------------------------------------------=
--------------------------------<BR>Join=20
  us on IRC: irc.freenode.net #webappsec<BR><BR>Have a question? Search =
The Web=20
  Security Mailing List Archives:<BR><A=20
  =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><BR>Subscribe=20
  via RSS:<BR><A=20
  =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A>=20
  [RSS Feed]<BR><BR>Join WASC on LinkedIn<BR><A=20
  =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</A></SPAN><o:p></o:p></P></DIV></BLOCKQ=
UOTE></BODY></HTML>

------=_NextPart_000_00C1_01C8E534.94CF68E0--
Follow-Ups:
- RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Martin O'Neal
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ivan Ristic
- RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ofer Shezaf
References:
- Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Licky Lindsay
- RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Sebastien Deleersnyder
- RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
  - From: Ofer Shezaf
Prev by Date: Re: [WEB SECURITY] what are the rules for SSNs?
Next by Date: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by thread: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site