A presentation and demonstration of issues that apply to Web application firewalls. Talks about how easy it is to fingerprint some web application firewalls, how bypassing them is possible. Finally it talks about how they can be used against your organization if they get compromised.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
PT Consultant at Trustwave's SpiderLabsOver 7 years in the security industryVulnerability discovery Webmails, AP, Citrix, etcSpoke in YSTS 2.0, Defcon 16, H2HC and othersAffiliated to Hackaholic team
Friday, 4 December 2009
OWASP 3
$ whois SandroGauci
Founder and CSO EnableSecurityFrom .mtSecurity software
Whitelist basedLearning mode to create a security policy of
known “good” HTTP trafficKnown as dynamic profiling technology by some
Example:Page news.jsp, the field "id" only accept numbers [0-9] and starting at 0 until 65535news.jsp?id=-1 would not be allowed
9
Friday, 4 December 2009
OWASP
Common Weaknesses
Design issuesWAFs have to be similar to the web apps and http
servers that they need to protectBlacklists are by design “flawed”
Bad implementationParsing issues
Again - a WAF needs to do a lot of things that the web app and http server doesergo they can have similar security flaws!
10
Friday, 4 December 2009
OWASP
Detection
A number of products can be detectedsometimes by design
Detection is not a big deal but... sometimes we’re told that WAFs are ‘invisible’the better you know your enemy (or client), the
betterhelps in a penetration test or targeted attackshows that stealth attacks are possible
11
Friday, 4 December 2009
OWASP
Detection
CookiesReason: some WAFs are also load balancers
HeadersHeader rewriting Most obvious would be "Server" Sometimes is a feature called “server cloaking”“Connection” header might be changed to Cneonction
or nnCoectionResponse codes
404 error codes for existent scriptsand 403 for non existent ones