[WEB SECURITY] Re: The Great WAF Debate --was--> XSS/injection/... evading technique

Arian J. Evans arian.evans at anachronic.com
Thu Jul 31 23:47:42 EDT 2008 

Good post. Great points. Some notes:

1) Interesting observation on WAF penetration.
I have not seen anywhere near this percentage
of penetration, but this year (2008) I have seen
an unusually large number of of folks investigating
WAF purchases, in some cases north of 1m USD.

Long and short, yes they are here (to stay I think).

2) Normal WAF config: Agreed re: Learning mode.

This is mostly what I have seen in the past myself.

However, I am seeing people finally start to lock
them down. And this can be an arduous task. I
hope the WAF vendors make this easier.

Network IPS/IDP went through the same curve
though. I saw a lot of folks buy IPS/IDP because
"they couldn't keep up with all the IDS alerts".
I used to scoff at them. "So what you are telling
me is that since you do not have the time to
properly tune and configure your existing detection
technology, you think that the smart move is
to put in another layer of nearly identical
technology that actually *blocks* traffic?"

But, year after year, people learned to
configure their IDS/IDP to do things, if
nothing else to block worms and predictable
remote stack overflow attacks etc. And
some no doubt made shelfware of their IPS/IDP.

We have web worms now. So at the very
least we can probably block those, though
if the IPS/IDP folks did the right things, they
could do that as well.

But we'll probably see varying degrees
of usage of WAFs as they mature just
like the IPS/IDP adopters.

3. Tuning. Yes, totally. When I was a
consultant I remember projects where
we pen tested against WAF protected
sites for 2-3 months while they "tuned"
them and such.

Eventually they would get things right,
with the exception of some technology
immature WAFs.

4. Camps. Many people emailed me
offline about my camps, which were
part serious, and a serious part humor
(as any who know me should know).

There are certainly more camps,
and hybrid camps, as not all notions
are mutually exclusive.

In fact...I was once more in camp #3
and gradually migrated to camp #2 :)

Cheers mate

-ae

ps -- I need to add an addendum
soon. I got a few historcal WAF facts
wrong, as several people politely
pointed out to me offline. Sheesh
guys, that was like almost ten years
ago! Do you know how much Jaegermeister
and Guiness you people have forced
me to drink at conferences and after
WAF configuration projects since then?!?

I am amazed I remember much....


On Wed, Jul 30, 2008 at 2:49 AM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
>
> LOL; amusing post.
>
> My interest in WAFs is very much not from a product point of view; we
> don't sell or manufacturer any products ourselves (or re-sell anyone
> else's).
>
> Whilst Corsaire does provide consultancy around designing and building
> secure environments, we spend the majority of our time assessing
> something that someone else has already implemented.  We're not the
> largest organisation in the universe, but we get through somewhere
> between two to three hundred assessments a year, typically for large
> corporate clients.  Of these environments, I would say that about 80%
> have an IDS and maybe 60% a WAF.  Which is anecdotal factlet no.1:
> product penetration is pretty high (chardonnay all round for the
> marketing people!).
>
> However, as I think I've said before, it appears that the normal
> configuration cycle for an IDS or WAF is for them to install it, tinker
> with the settings a bit until they disconnect someone (or something)
> important, and then the box is put into monitor mode until it is a dusty
> forgotten relic.  Which is anecdotal factlet no.2: most IDS/WAF that we
> encounter are either in an out-of-the-box state, or in monitor-only mode
> (and unmonitored!).
>
> And finally, the only occasion that a client made a concerted effort to
> use a WAF (an F5) to fix a broken application resulted in (I think) four
> rounds of testing and re-testing, and even then the application still
> had unresolved issues (which is, to be fair, a lot to do with the tin
> monkeys configuring the WAF).  However as a side effect the application
> was also made unusable to anyone with an apostrophe in their name.
> Which is anecdotal factlet no.3: as a WAF's toolkit consists only of
> tinkering with data validation, then they are forced to try and fix all
> security issues by restricting validation, even when it is clear that
> validation isn't the root of the problem.
>
> I have nothing against WAFs as a concept, and I agree that in principal
> it is possible to use them to implement some form of dynamic patch (one
> that may even work as intended!), but in every example that I have seen
> them used in the real world, they have provided almost no practical
> value at all.  Their net contribution is as a boldly coloured fan heater
> in a data centre.
>
> Martin...
>
> PS Can I get a camp of my own?
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list