Security Basics mailing list archives
Re: Web Application Firewall Assessment
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 06 May 2009 19:08:18 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bin4ry wrote:
Hi together, i'm a student at a german university and i'm working on my bachelorthesis. The subject is Web Application Firewalls. One practical part of this work is an assessment of one of those wafs. Since i can choose which product i'm going to test, i think i'll stick to modsecurity. I'll place some vulnerable apps behind modsecurity (some selfmade ones + webgoat, or similar) and try to get through modsecurity with some malicious requests / payload. Before doing so i'd like to ask you guys if you can give me some advice concerning this assessment. Did some of you already made similar stuff? If so, would you mind sharing experiences? Are there any best practices setting up the scene? Do you know of some attack vectors WAFs are facing problems with? I guess XSS in combination with CSS will be hard to recognize. Already tried some DOM-XSS in combination with url-fragments: Some javascript uses the document.location-object to extract the 'name'-parameter and to echo it to the user. I thought that, if i pass something like this: http://localhost/dom.htm#name=<script>alert('test');</script> the whole fragment won't be sent to the server therefore making it hard for modsecurity to sanitize it. But i failed. It was sanitized well. I guess i'll need to checkout some alternative encodings to circumvent rules/signatures. Anyway, some input would be appreciated. Have a nice evening,
One thing to check -- make sure you can block all forms of LDAP injection. This is getting to be a SERIOUS problem! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoCGGIACgkQUVxQRc85QlMPXQCfZBG2IDPAH4sM9vTOxCQQ3og7 V6MAoIAsOE0b6AIKZZQF3YTu0QWJaU4f =YF48 -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Web Application Firewall Assessment bin4ry (May 06)
- Re: Web Application Firewall Assessment Jon Kibler (May 07)
- Re: Web Application Firewall Assessment Robert Larsen (May 07)