Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Web Application Firewall Assessment

From: bin4ry <bin4ry () theknetgroup org>
Date: Wed, 06 May 2009 19:58:11 +0200
Hi together,

i'm a student at a german university and i'm working on my
bachelorthesis. The subject is Web Application Firewalls.
One practical part of this work is an assessment of  one of those
wafs.  Since i can choose which product i'm going to test, i think
i'll stick to modsecurity.
I'll place some vulnerable apps behind modsecurity (some selfmade ones
+ webgoat, or similar) and try to get through modsecurity with some
malicious requests / payload.

Before doing so i'd like to ask you guys if you can give me some
advice concerning this assessment. Did some of you already made
similar stuff? If so, would you mind sharing experiences? Are there
any best practices setting up the scene? Do you know of some attack
vectors WAFs are facing problems with? I guess XSS in combination with
CSS will be hard to recognize. Already tried some DOM-XSS in
combination with url-fragments:

Some javascript uses the document.location-object to extract the
'name'-parameter and to echo it to the user.

I thought that, if i pass something like this:

http://localhost/dom.htm#name=<script>alert('test');</script>

the whole fragment won't be sent to the server therefore making it
hard for modsecurity to sanitize it. But i failed. It was sanitized well.

I guess i'll need to checkout some alternative encodings to circumvent
rules/signatures.

Anyway, some input would be appreciated.

Have a nice evening,


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: