WebApp Sec mailing list archives
Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls?
From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 22 Jun 2005 16:20:11 +1000
Amit,I feel that the WAF in this case would increase the likelihood of a HTTP smuggling attack as it participates in the flow, and more than likely interprets HTTP requests differently than pretty much everything else out there. If they RST'd dodgy connections and left alone all others, then maybe these devices serve a purpose, but if it's a re-writing proxy, it has to affect the flow.
<rant = on>I have been struggling with the point of "security" HTTP proxies recently in several of the projects I've been involved with. The projects were infected by sales people who say "Buy this widget, and all your security problems are over". Nothing could be further from the truth. I recently lost a battle to remove a virus scanning web proxy on a private leased line which transmitted XML provided by MQ Series. The impetus to buy useless things to solve non-existent problems is troubling.
In my view, unless a proxy understands the underlying data and pages, or XML DTDs if it is looking at SOAP requests, I feel the additional burden of the proxies is rarely worthwhile and just adds one more component which may be abused.
</rant>Security vendors should perform strict conformance testing and make those results available to potential customers. Something like the old IPsec and cache bake offs or industry certification that these devices are truly RFC compliant would be nice.
Andrew On 22/06/2005, at 6:24 AM, Amit Klein (AKsecurity) wrote:
Yesterday, NetContinuum announced(http://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=52) that their NC-1000Application Security Gateway protects against HTTP Request Smuggling. I find this weird. The essence of HTTP Request Smuggling(http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) is that two HTTP-aware devices (e.g. web server and cache/proxy server) interpret the data stream differently.
Current thread:
- Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Andrew van der Stock (Jun 21)
- Message not available
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 22)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)