[WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls?

Amit Klein (AKsecurity) aksecurity at hotpop.com
Wed Jun 22 03:28:07 EDT 2005


On 22 Jun 2005 at 0:40, Daniel wrote:

> Amit,
> 
> Maybe i've missed a point here, but why would you deploy a WAF behind
> a web server and proxy server? in fact why would you even deploy the
> WAF in this scenario?

I discussed 3 scenarios:

1. Internet-WAF-device#1-device#2  (where device#1 can be a proxy server, and device#2 can 
be a web server, and all WAF, device#1 and device#2 are on the site premises).

2. (Internet)-device#1-(Internet)-WAF-device#2 (where device#1 may be off premises - e.g. a 
forward proxy server).

3. (Internet)-device#1-(Internet)-deivce#2-(Internet)-WAF-... (both device#1 and device#2 
are not protected by the WAF - they can be chained proxies, or a proxy and a perimeter 
firewall).

Obviously, there's no point in deploying a WAF behind the web server, but as you can see in 
#3, it's possible to mount an attack against two non-webserver devices (the request still 
has to go through the web server, but the real action takes place before that).

> 
> Have you tested the 2nd scenario with a NC and two devices?
>

Which scenario would that be?



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list