WebApp Sec mailing list archives
Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls?
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 22 Jun 2005 09:53:49 +0200
Hi Andrew, On 22 Jun 2005 at 16:17, Andrew van der Stock wrote:
Amit, I feel that the WAF in this case would increase the likelihood of a HTTP smuggling attack as it participates in the flow, and more than likely interprets HTTP requests differently than pretty much everything else out there.
Yes, that is possible (as I hinted in my message), if the WAF is between the devices, or if the WAF itself is the object of the attack. If they RST'd dodgy connections and left
alone all others, then maybe these devices serve a purpose, but if it's a re-writing proxy, it has to affect the flow.
I agree.
<rant = on> I have been struggling with the point of "security" HTTP proxies recently in several of the projects I've been involved with. The projects were infected by sales people who say "Buy this widget, and all your security problems are over". Nothing could be further from the truth. I recently lost a battle to remove a virus scanning web proxy on a private leased line which transmitted XML provided by MQ Series. The impetus to buy useless things to solve non-existent problems is troubling. In my view, unless a proxy understands the underlying data and pages, or XML DTDs if it is looking at SOAP requests, I feel the additional burden of the proxies is rarely worthwhile and just adds one more component which may be abused. </rant>
Oh, I wouldn't throw the baby out with the bath water. I think that WAFs (at least in theory) are basically good things. I haven't seen a perfect one yet - they all have their problems. But I wouldn't dismiss them as useless. Don't get me wrong - there are certainly cases where buying and deploying WAF is absurd, and there are probably many cases where WAFs are sold as a solution to world hunger, but that shouldn't blur our technical view - of what WAFs can and can't do. I fully agree to the second part of your rant. If a WAF can't understand HTTP, and the application logic, and SOAP/XML (if it's supposed to handle XML and web services), then obviously it's missing a core security functionality. Merely deploying a simple (mindless) HTTP proxy is not going to help in most situations (I believe that's what you're saying).
Security vendors should perform strict conformance testing and make those results available to potential customers. Something like the old IPsec and cache bake offs or industry certification that these devices are truly RFC compliant would be nice.
Hear! Hear! ;-) I'll have you know that WASC (Web Application Security Consortium) works on a project called "Web Application Firewall Evaluation Criteria" (http://www.webappsec.org/projects/waf_evaluation/) that aims at defining criteria for evaluating and comapring WAFs. When it's complete, hopefully it would be able to address people's needs and reduce the hype levels in the market. Thanks, -Amit
Current thread:
- Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Andrew van der Stock (Jun 21)
- Message not available
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 22)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)