[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- From: "Ofer Shezaf" <ofers@xxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- Date: Mon, 14 Jul 2008 12:44:50 -0600
------=_NextPart_000_0568_01C8E5AF.851BAC80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Actually you can, not by detecting the drop, but rather by checking for
what's blocked and what isn't. I am not suggesting you need to find
vulnerabilities in a WAF for that, but there are many grey areas in which
one WAF would block and another would not. TO be fair, those are many times
user controlled by policy, so that kind of fingerprinting can be subverted
by a WAF user.
~ Ofer
From: Rafal @ IsHackingYou [mailto:rafal@ishackingyou.com]
Sent: Sunday, July 13, 2008 11:06 PM
To: WASC Forum
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Ofer, all...
We're talking about blocking here, when the "intelligent" WAFs will
silently drop packets - I challenge someone to detect a silent drop of a
packet traveling across a network device...
__
Rafal M. Los
IT Security - Response | Mitigation | Strategy
E-mail: rafal@ishackingyou.com
Direct: +1 (404) 606-6056
- gPGP: 0xFFC63B33
- Blog: http://preachsecurity.blogspot.com
- LinkedIn: http://www.linkedin.com/in/rmlos
From: Ofer Shezaf <mailto:ofers@breach.com>
Sent: Sunday, July 13, 2008 3:38 AM
To: 'Sebastien <mailto:seba@deleersnyder.eu> Deleersnyder' ; 'Licky
<mailto:noontar@gmail.com> Lindsay' ; 'Brian Shura'
<mailto:bshura@sbcglobal.net>
Cc: 'Jeremiah <mailto:jeremiah@whitehatsec.com> Grossman' ; 'WASC Forum'
<mailto:websecurity@webappsec.org>
Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Hi Seba,
Probably just the wrong moment to step in when competition is discussed, but
two quick notes:
* I assume you meant it is deployed as a transparent bridge. Being inline
does not imply transparent, and is usually more detectable than out-of-line.
* Anything that blocks can be detected, as no two blocking devices would
block exactly the same.
~ Ofer
From: Sebastien Deleersnyder [mailto:seba@deleersnyder.eu]
Sent: Saturday, July 12, 2008 9:34 AM
To: Licky Lindsay; Brian Shura
Cc: Jeremiah Grossman; WASC Forum
Subject: RE: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Lindsay,
As it is mostly deployed inline, there is no way of detecting Imperva.
Regards
Seba
-----Original Message-----
From: Licky Lindsay [mailto:noontar@gmail.com]
Sent: woensdag 9 juli 2008 15:42
To: Brian Shura
Cc: Jeremiah Grossman; WASC Forum
Subject: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
On Mon, Jul 7, 2008 at 9:40 PM, Brian Shura <bshura@sbcglobal.net> wrote:
> W3AF has a plug-in called "detectWAF" that tries to fingerprint WAFs.
>
> It currently attempts to detect URLScan, ModSecurity, and SecureIIS.
>
> http://w3af.sourceforge.net/pluginDesc.php#detectWAF
>
Does anybody know what specifically to look for as indicator that
Imperva is being used?
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: 9/07/2008
6:50
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
------=_NextPart_000_0568_01C8E5AF.851BAC80
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/"; =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<title>RE: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple =
id=3DMailContainerBody
name=3D"Compose message area">
<div class=3DSection1>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Actually you can, not by detecting the drop, but rather =
by
checking for what’s blocked and what isn’t. I am not =
suggesting you need to
find vulnerabilities in a WAF for that, but there are many grey areas in =
which
one WAF would block and another would not. TO be fair, those are many =
times
user controlled by policy, so that kind of fingerprinting can be =
subverted by a
WAF user. <o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>~ Ofer<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rafal @
IsHackingYou [mailto:rafal@ishackingyou.com] <br>
<b>Sent:</b> Sunday, July 13, 2008 11:06 PM<br>
<b>To:</b> WASC Forum<br>
<b>Subject:</b> Re: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<div>
<p class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Ofer,
all...</span><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal> <span =
style=3D'font-size:10.0pt;
font-family:"Arial","sans-serif"'>We're talking about blocking here, =
when the
"intelligent" WAFs will silently drop packets - I challenge =
someone
to detect a silent drop of a packet traveling across a network =
device...</span><o:p></o:p></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>
__<br>
Rafal M. Los<br>
IT Security - Response | Mitigation | Strategy<o:p></o:p></span></b></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <o:p><=
/o:p></span></b></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>E-mail: =
;
<a href=3D"mailto:rafal@ishackingyou.com";>rafal@ishackingyou.com</a><br>
Direct: +1 (404) 606-6056<br>
- gPGP: 0xFFC63B33<br>
- Blog: <a
href=3D"http://preachsecurity.blogspot.com";>http://preachsecurity.blogspo=
t.com</a><br>
- LinkedIn: <a =
href=3D"http://www.linkedin.com/in/rmlos";>http://www.linkedin.com/in/rmlo=
s</a></span></b><o:p></o:p></p>
</div>
<blockquote style=3D'border:none;border-left:solid black =
1.5pt;padding:0cm 0cm 0cm 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'=
>
<div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a
href=3D"mailto:ofers@breach.com"; title=3D"ofers@breach.com">Ofer =
Shezaf</a> <o:p></o:p></span></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Sent:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Sunday, =
July 13,
2008 3:38 AM<o:p></o:p></span></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>To:</span></=
b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a
href=3D"mailto:seba@deleersnyder.eu"; =
title=3D"seba@deleersnyder.eu">'Sebastien
Deleersnyder'</a> ; <a href=3D"mailto:noontar@gmail.com"; =
title=3D"noontar@gmail.com">'Licky
Lindsay'</a> ; <a href=3D"mailto:bshura@sbcglobal.net";
title=3D"bshura@sbcglobal.net">'Brian Shura'</a> <o:p></o:p></span></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Cc:</span></=
b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a
href=3D"mailto:jeremiah@whitehatsec.com"; =
title=3D"jeremiah@whitehatsec.com">'Jeremiah
Grossman'</a> ; <a href=3D"mailto:websecurity@webappsec.org";
title=3D"websecurity@webappsec.org">'WASC Forum'</a> =
<o:p></o:p></span></p>
</div>
<div>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Subject:</sp=
an></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> RE: [WEB =
SECURITY]
Re: Comparisons of Web ApplicationFirewalls<o:p></o:p></span></p>
</div>
</div>
<div>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Seba,<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Probably just the wrong moment to step in when =
competition is
discussed, but two quick notes:<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>* I assume you meant it is deployed as a transparent =
bridge.
Being inline does not imply transparent, and is usually more detectable =
than
out-of-line.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>* Anything that blocks can be detected, as no two =
blocking
devices would block exactly the same.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>~ Ofer<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Sebastien
Deleersnyder [mailto:seba@deleersnyder.eu] <br>
<b>Sent:</b> Saturday, July 12, 2008 9:34 AM<br>
<b>To:</b> Licky Lindsay; Brian Shura<br>
<b>Cc:</b> Jeremiah Grossman; WASC Forum<br>
<b>Subject:</b> RE: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<p style=3D'margin-bottom:12.0pt'><span =
style=3D'font-size:10.0pt'>Lindsay,<br>
<br>
As it is mostly deployed inline, there is no way of detecting =
Imperva.<br>
<br>
Regards<br>
<br>
Seba<br>
<br>
-----Original Message-----<br>
From: Licky Lindsay [<a =
href=3D"mailto:noontar@gmail.com";>mailto:noontar@gmail.com</a>]<br>
Sent: woensdag 9 juli 2008 15:42<br>
To: Brian Shura<br>
Cc: Jeremiah Grossman; WASC Forum<br>
Subject: Re: [WEB SECURITY] Re: Comparisons of Web =
ApplicationFirewalls<br>
<br>
On Mon, Jul 7, 2008 at 9:40 PM, Brian Shura <bshura@sbcglobal.net> =
wrote:<br>
> W3AF has a plug-in called "detectWAF" that tries to =
fingerprint
WAFs.<br>
><br>
> It currently attempts to detect URLScan, ModSecurity, and =
SecureIIS.<br>
><br>
> <a =
href=3D"http://w3af.sourceforge.net/pluginDesc.php#detectWAF";>http://w3af=
.sourceforge.net/pluginDesc.php#detectWAF</a><br>
><br>
<br>
Does anybody know what specifically to look for as indicator that<br>
Imperva is being used?<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>
No virus found in this incoming message.<br>
Checked by AVG - <a =
href=3D"http://www.avg.com";>http://www.avg.com</a><br>
Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: =
9/07/2008<br>
6:50<br>
<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
<a =
href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.link=
edin.com/e/gis/83336/4B20E4374DBA</a></span><o:p></o:p></p>
</blockquote>
</div>
</body>
</html>
------=_NextPart_000_0568_01C8E5AF.851BAC80--
Brought to you by http://www.webappsec.org
Search this site
|