Security Basics mailing list archives
Web Application Firewall Assessment
From: bin4ry <bin4ry () theknetgroup org>
Date: Wed, 06 May 2009 19:58:11 +0200
Hi together, i'm a student at a german university and i'm working on my bachelorthesis. The subject is Web Application Firewalls. One practical part of this work is an assessment of one of those wafs. Since i can choose which product i'm going to test, i think i'll stick to modsecurity. I'll place some vulnerable apps behind modsecurity (some selfmade ones + webgoat, or similar) and try to get through modsecurity with some malicious requests / payload. Before doing so i'd like to ask you guys if you can give me some advice concerning this assessment. Did some of you already made similar stuff? If so, would you mind sharing experiences? Are there any best practices setting up the scene? Do you know of some attack vectors WAFs are facing problems with? I guess XSS in combination with CSS will be hard to recognize. Already tried some DOM-XSS in combination with url-fragments: Some javascript uses the document.location-object to extract the 'name'-parameter and to echo it to the user. I thought that, if i pass something like this: http://localhost/dom.htm#name=<script>alert('test');</script> the whole fragment won't be sent to the server therefore making it hard for modsecurity to sanitize it. But i failed. It was sanitized well. I guess i'll need to checkout some alternative encodings to circumvent rules/signatures. Anyway, some input would be appreciated. Have a nice evening, ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Web Application Firewall Assessment bin4ry (May 06)
- Re: Web Application Firewall Assessment Jon Kibler (May 07)
- Re: Web Application Firewall Assessment Robert Larsen (May 07)