Dailydave mailing list archives
WAFs: HTTP Desynchronization as a Metric
From: Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>
Date: Mon, 13 Jul 2020 11:19:43 -0400
So one thing people don't have any scope of measuring - (maybe as a set diagram finite states?) - is the difference between two parsers for the same protocol. Ten years ago a lot of the security community had a discussion about "LangSec <http://langsec.org/>" which turns out to have been entirely correct in retrospect. NCCGroup's recently released analysis of the F5 bug is a key example of this principle in action: https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902/ Most people look at HTTP Desync as simply using Content-Length confusion - figuring out ways to make one request look like it's not the same length, and using that for SSRF or XSS or various other attacks. But *ANY DIFFERENCE IN THE PARSERS* leads to critical level attacks. Of course, what this means is that you need to have different emulated parsers for each web server behind you depending on if they are Apache/IIS/NGinx . . . -dave
_______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
Current thread:
- WAFs: HTTP Desynchronization as a Metric Dave Aitel via Dailydave (Jul 13)