RE: [WEB SECURITY] WAF "Weakening": Has anyone else witnessed this or has this already been discussed?

["Sylvain Gil" <sylvain@xxxxxxxxxxx>]

Right it's best practice to mask the 50X response codes with a WAF
generated response. If for whatever reason the web developers work on
the production site and want to see the error, they will need to be
white-listed.

To handle scenario #1 I would correlate multiple 'low' severity alerts
over time from the same source into a higher severity alert, which would
trigger a block or some kind of notification.


-Sylvain @ WAF vendor


-----Original Message-----
From: Neil Matatall [mailto:nmatatal@xxxxxxx] 
Sent: Tuesday, September 22, 2009 7:23 PM
To: Sylvain Gil
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] WAF "Weakening": Has anyone else witnessed
this or has this already been discussed?

Depending on the WAF, if the ' or " did cause a SQL error, the WAF would

suppress the error message and send a 200. 

So it seems there are two flavors:
1) Wolf in sheep's clothing: where the attacker adds suspicious 
characters to seemingly harmless data (instead of throwing the kitchen 
sink, !@#$%^&*(), the attacker sends name=neil').
2) Tricking the profiler when the app is still in learning mode to learn

potentially malicious behavior.

For 2), you could simply throw some blatantly malicious traffic 
(cmd.exe, xp_cmdshell, ../../../etc/passwd) and monitor the response 
(not the response code!).  If you get what looks like a WAF-generated 
response, then you know you have to use strategy 1. 

Thoughts?
Neil

Sylvain Gil wrote:
> Hi Neil,
>
> It could also be a way to test the app for SQL errors while staying
> under the radar.
>
> If you get a 500 response code with an ODBC/JDBC error message by
adding
> a ' or " to a parameter then there is a good chance something is
rotten
> in the code. At the same time it's unlikely that a WAF will scream SQL
> injection just because of the added characters, at most the attacker
> only triggered 'low' severity violations.
>
> If that's what it is then I'd call this yet another recon technique.
>
> -Sylvain @ WAF vendor
>
>
> -----Original Message-----
> From: Neil Matatall [mailto:nmatatal@xxxxxxx] 
> Sent: Monday, September 21, 2009 8:26 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] WAF "Weakening": Has anyone else witnessed
this
> or has this already been discussed?
>
> I noticed some odd traffic in which single and double quotes were
being 
> added to common parameters, most of which were numeric.  This activity

> covered many hosts and came from a few unique IP addresses.  The 
> paranoid side of me says that someone may be gearing up for an attack
by
>
> trying to trick the operator into lessening the restrictions placed on

> URL/params during the profiling period. 
>
> Has anyone else experienced this either currently or in the past?  If 
> so, did any targeted attacks take place?
>
> Is there a term for this?
>
> Neil
>
>
------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>   

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA