[WEB SECURITY] RE: 02/2009 WASC WAF thread
Andre Gironda
andreg at gmail.com
Tue Feb 10 13:20:16 EST 2009
On Tue, Feb 10, 2009 at 11:37 AM, <bugtraq at cgisecurity.net> wrote:
Robert,
> I personally have only used them for input validation purposes. We can both see the issue of persistent
> xss but I haven't used/heard of anyone using them in this way (they could be I just don't know).
60+ emails across this list and nobody is willing to agree with me
that Microsoft SRE or a JSF custom-equivalent approach is completely
superior to any commerical WAF product such as F5, Citrix, Imperva, or
Breach?
That Gotham Digital Science's SPF, the HDIV Project, or Shreeraj
Shah's web2wall and mod-security prescriptions do not additionally
address even more advanced attacks on top of what SRE would do?
SRE and changing database table/view default privs appear to solve all
of the kinds of LHF that the F5's, Impervas, Citrixes, Breaches, and
WhiteHatSecs of the world seek to prevent. With no blacklist rule
configuration, no maintenance, and using automated, point-solution
configuration that is clearly superior to F5/Imperva/Citrix/Breach
"auto-learning".
Question: I am anti-WAF how now?
>> What types of input validation? Are you talking about the kinds of
>> input validation that AntiSamy would deal with? User-submittable
>> HTML(all parts, attributes, et al)/CSS, too?
>
> - long input
> - characters not matching the whitelist
See above.
Cheers,
Andre
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list