WebApp Sec mailing list archives
WAF learning ability limitation?
From: matt farey <matt.farey () gmail com>
Date: Fri, 19 May 2006 18:04:25 +0100
Hi, I listened to the recent London WAF mp3s. Thanks for those! One thing I heard was that the WAFs worked in two main ways: 1. specific input parameters (input fields) policies to defend against particular vulnerabilities, and more generally they were 2. learning what users put into input boxes and could form their own dynamic reg exp protection.But can a dynamic website which generates randomly named input fields be protected? Perhaps Fortify would more easily be able to link in with this type of application specific code as it hooks into the app logic. In other words, if the form input fields have un-guessable randomly changing names, resulting in randomly changing parameters that need to be checked against reg exp policies, could a WAF cope?
The app was designed this way to enforce work flow, and control the GET-POST (rather than just POST, POST....) cycle, to stop scraping and other "remote/off-site" POST attacks. A back-end heap/memory table was used to keep track of the (pseudo-hash) <> (input field parameter name) mappings. The attacker had to keep coming back for more valid names before submitting more carefully crafted garbage.
Perhaps this is just a silly eccentric solution and never likely to be used in the real world. matt --form example (response 1)-- <form method="post"> <input type="text" name="input_KL23JgrtIsuqwKjh5cTgt" /> <input type="test" name="input_KNi5s4TgfR5GkUYdk09" /> <input type="submit" value="submit" /> </form> --form example (reponse 2) - after page refresh/post-- <form method="post"> <input type="text" name="input_Ksdg3r5XI7u86Dwjhdscyjljgt" /> <input type="test" name="input_asfsdgyuXkl78dr54GdrfgdF09" /> <input type="submit" value="submit" /> </form> etc... ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- RE: Comparison report on web app security scanners, (continued)
- RE: Comparison report on web app security scanners Ory Segal (May 16)
- Re: Comparison report on web app security scanners Jeremiah Grossman (May 17)
- RE: Comparison report on web app security scanners Mark Curphey (May 18)
- Re: Comparison report on web app security scanners Zaninotti, Thiago (May 18)
- Re: Comparison report on web app security scanners Jeremiah Grossman (May 17)
- Re: Comparison report on web app security scanners Eoin (May 17)
- RE: Comparison report on web app security scanners Mark Curphey (May 17)
- RE: Comparison report on web app security scanners Bogdan Calin (May 18)
- Re: Comparison report on web app security scanners solutions_PHP (May 18)
- Re: Comparison report on web app security scanners Bogdan Calin (May 18)
- RE: Comparison report on web app security scanners Mark Curphey (May 19)
- WAF learning ability limitation? matt farey (May 19)
- Re: Comparison report on web app security scanners solutions_PHP (May 19)
- RE: Comparison report on web app security scanners Ory Segal (May 16)