[WEB SECURITY] Need a vulnerable XML Web Service
Andre Gironda
andreg at gmail.com
Thu Jun 10 14:21:40 EDT 2010
On Thu, Jun 10, 2010 at 12:43 PM, Neil Matatall
<nmatatall at attinteractive.com> wrote:
> I agree with Ory and I'd rather have the creators of these products spend
> time on other features (good Rails support, better REST support, etc). I've
> always subscribed to making the app as secure as possible without a WAF, and
> then deploy the application behind a WAF.
> IMO, bypassing WAFs would be much more beneficial to the WAF vendors and
> external pen testers than those actually using WAFs. In my experience, most
> *useful* pen testing and assessments are performed internally with the
> external scans used mainly for box checking regarding compliance. If you
> rely on your WAF and you only have external scanning, then this feature
> might be important.
> Neil
WAF vendors should be writing their own scanners that bypass their
products. They won't though, and somebody like BreakingPointSys will
come in to do it years later.
If you are conducting an app assessment in a production environment,
then you are basically the scum of the earth and I hope that you die
in a fire.
If you are using a WAF in a production environment (and it's not
mod-security and/or "fully whitelist validation based"), then you are
basically the scum of the earth and I hope that you also die in a
fire.
If you have an app scanner, and want to use it to test your
integration, staging, or other "pre-production" environment -- then
you are probably a misguided fool. Try spending more time saving your
buddies (above) from dying in a fire.
--
Now to the meat of this email from me.
No. What we need are test cases (from app scanners or elsewhere) to
test for vulnerabilites when regressing (after developers apply a
"fix" or "patch", or when some appsec experts tweaks a WAF data
validation rule to be more restrictive). We need to know HOW and IF
data validation has been employed and WHERE.
These points about WAF checks are idiotic because you guys simply
don't get it, but there is a real problem there that the app scanners
additionally don't address. This would be a "nice-to-have" feature
today because simply the app scanners don't do their regular jobs in
the first place, as Jack Mannino pointed out.
The next person who thinks that they are throwing me a cluestick or
calls me "naive" and lacking of "real world" anything should go check
this out first:
http://video.google.com/videoplay?docid=-9166100067370229595&hl=en#
It's from 2007
Have a basis of understanding what the hell I'm talking about and why.
This conversation is devolving into talk about WAFs when we really
need to be talking about data validation instead.
Thanks,
Andre
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
the confirmation email
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list