WAFs: HTTP Desynchronization as a Metric

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

So one thing people don't have any scope of measuring - (maybe as a set
diagram finite states?) - is the difference between two parsers for the
same protocol. Ten years ago a lot of the security community had a
discussion about "LangSec <http://langsec.org/>" which turns out to have
been entirely correct in retrospect.

NCCGroup's recently released analysis of the F5 bug is a key example of
this principle in action:
https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902/

Most people look at HTTP Desync as simply using Content-Length confusion -
figuring out ways to make one request look like it's not the same length,
and using that for SSRF or XSS or various other attacks. But *ANY
DIFFERENCE IN THE PARSERS* leads to critical level attacks.

Of course, what this means is that you need to have different emulated
parsers for each web server behind you depending on if they are
Apache/IIS/NGinx . . .

-dave

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org