Re: Web Application Firewall Assessment

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bin4ry wrote:
> Hi together,
>
> i'm a student at a german university and i'm working on my
> bachelorthesis. The subject is Web Application Firewalls.
> One practical part of this work is an assessment of  one of those
> wafs.  Since i can choose which product i'm going to test, i think
> i'll stick to modsecurity.
> I'll place some vulnerable apps behind modsecurity (some selfmade ones
> + webgoat, or similar) and try to get through modsecurity with some
> malicious requests / payload.
>
> Before doing so i'd like to ask you guys if you can give me some
> advice concerning this assessment. Did some of you already made
> similar stuff? If so, would you mind sharing experiences? Are there
> any best practices setting up the scene? Do you know of some attack
> vectors WAFs are facing problems with? I guess XSS in combination with
> CSS will be hard to recognize. Already tried some DOM-XSS in
> combination with url-fragments:
>
> Some javascript uses the document.location-object to extract the
> 'name'-parameter and to echo it to the user.
>
> I thought that, if i pass something like this:
>
> http://localhost/dom.htm#name=<script>alert('test');</script>
>
> the whole fragment won't be sent to the server therefore making it
> hard for modsecurity to sanitize it. But i failed. It was sanitized well.
>
> I guess i'll need to checkout some alternative encodings to circumvent
> rules/signatures.
>
> Anyway, some input would be appreciated.
>
> Have a nice evening,

One thing to check -- make sure you can block all forms of LDAP
injection. This is getting to be a SERIOUS problem!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoCGGIACgkQUVxQRc85QlMPXQCfZBG2IDPAH4sM9vTOxCQQ3og7
V6MAoIAsOE0b6AIKZZQF3YTu0QWJaU4f
=YF48
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------