WebApp Sec mailing list archives
Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls?
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 22 Jun 2005 09:28:07 +0200
On 22 Jun 2005 at 0:40, Daniel wrote:
Amit, Maybe i've missed a point here, but why would you deploy a WAF behind a web server and proxy server? in fact why would you even deploy the WAF in this scenario?
I discussed 3 scenarios: 1. Internet-WAF-device#1-device#2 (where device#1 can be a proxy server, and device#2 can be a web server, and all WAF, device#1 and device#2 are on the site premises). 2. (Internet)-device#1-(Internet)-WAF-device#2 (where device#1 may be off premises - e.g. a forward proxy server). 3. (Internet)-device#1-(Internet)-deivce#2-(Internet)-WAF-... (both device#1 and device#2 are not protected by the WAF - they can be chained proxies, or a proxy and a perimeter firewall). Obviously, there's no point in deploying a WAF behind the web server, but as you can see in #3, it's possible to mount an attack against two non-webserver devices (the request still has to go through the web server, but the real action takes place before that).
Have you tested the 2nd scenario with a NC and two devices?
Which scenario would that be?
Current thread:
- Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Andrew van der Stock (Jun 21)
- Message not available
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 22)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)