Re: Web Application Firewall Assessment

[Robert Larsen <robert () the-playground dk>]

bin4ry wrote:
> Do you know of some attack
> vectors WAFs are facing problems with? 
* Bad/nonrandom session keys
* some_page.php?admin=yes
* Possibility for traversal of nonpublic documents by changing an ID in
a URL (seen this too many times to count)
* Not sending secret data over https (logins and session keys)



WAFs are great tools for taking the top of the attack vectors but they
are not a replacement for good coding practices. It is "just" another
layer of security.


Good luck with the thesis. Will you post your findings to this mailing
list ?

Attachment: signature.asc
Description: OpenPGP digital signature