Web application firewalls have come a long way from their modest
beginnings more than a decade ago. They are now an accepted security
best practice and have a significant role in compliance. But there is
still a lot left to do before they can unlock their full potential.
There is one aspect in particular that interests me a great deal, and
that is the ability of end users to verify the operation of WAFs and
measure their technical quality. Understandably, vendors are reluctant
to talk about the weaknesses in their products. However, understanding
the weak points is critical for effective deployments. We cannot claim
to have achieved any level of security otherwise. As always with these
things, we should assume that our adversaries already know about those
weaknesses; but how can we know too? Simple, by forcing the issue out in
the open.
Today at Black Hat we (Qualys) are announcing
a new research project on protocol-level evasion of web application
firewalls. This type of evasion focuses on the low level operation of
WAFs, aiming to exploit little differences in how WAFs see traffic and
how backend web servers and applications see it. If you get the WAF to
see something different from what the backend is seeing, you have an
evasion opportunity that could possibly be used to execute any attack
type, without detection.
I spent a great deal of effort on protocol-level evasion in my years
of working on ModSecurity (an open source web application firewall I
started in 2002, and worked on until 2009). I imagine all WAF
manufacturers spend a lot of effort in this area, yet this topic is
seldom discussed in public. It is our aim to change this. Our focus on
protocol-level evasion is part of our work on IronBee, a new open source web application firewall we are building at Qualys.
Attached to this post is our research paper that focuses on request
path, parameter, and multipart/form-data evasion. Also attached are the
Black Hat talk slides that introduce the research. he testing suite (a
sort of a research toolkit) is in the IronBee WAF Research repository on GitHub.
- Protocol-Level Evasion of Web Application Firewalls v1.1 (18 July 2012).pdf (254.4 K)
- Protocol-Level Evasion of Web Application Firewalls (Ivan Ristic, Qualys, Black Hat USA 2012) SLIDES.pdf (1.7 MB)
Fuente: blog.ivanristic.com
No hay comentarios:
Publicar un comentario