Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls?

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

Hi Andrew,

On 22 Jun 2005 at 16:17, Andrew van der Stock wrote:

> Amit,
>
> I feel that the WAF in this case would increase the likelihood of a  
> HTTP smuggling attack as it participates in the flow, and more than  
> likely interprets HTTP requests differently than pretty much  
> everything else out there. 

Yes, that is possible (as I hinted in my message), if the WAF is between the devices, or if 
the WAF itself is the object of the attack.

If they RST'd dodgy connections and left  
> alone all others, then maybe these devices serve a purpose, but if  
> it's a re-writing proxy, it has to affect the flow.

I agree.

> <rant = on>
>
> I have been struggling with the point of "security" HTTP proxies  
> recently in several of the projects I've been involved with. The  
> projects were infected by sales people who say "Buy this widget, and  
> all your security problems are over". Nothing could be further from  
> the truth. I recently lost a battle to remove a virus scanning web  
> proxy on a private leased line which transmitted XML provided by MQ  
> Series. The impetus to buy useless things to solve non-existent  
> problems is troubling.
>
> In my view, unless a proxy understands the underlying data and pages,  
> or XML DTDs if it is looking at SOAP requests, I feel the additional  
> burden of the proxies is rarely worthwhile and just adds one more  
> component which may be abused.
>
> </rant>

Oh, I wouldn't throw the baby out with the bath water. I think that WAFs (at least in 
theory) are basically good things. I haven't seen a perfect one yet - they all have their 
problems. But I wouldn't dismiss them as useless. 
Don't get me wrong - there are certainly cases where buying and deploying WAF is absurd, 
and there are probably many cases where WAFs are sold as a solution to world hunger, but 
that shouldn't blur our technical view - of what WAFs can and can't do.

I fully agree to the second part of your rant. If a WAF can't understand HTTP, and the 
application logic, and SOAP/XML (if it's supposed to handle XML and web services), then 
obviously it's missing a core security functionality. Merely deploying a simple (mindless) 
HTTP proxy is not going to help in most situations (I believe that's what you're saying).

> Security vendors should perform strict conformance testing and make  
> those results available to potential customers. Something like the  
> old IPsec and cache bake offs or industry certification that these  
> devices are truly RFC compliant would be nice.

Hear! Hear! ;-)

I'll have you know that WASC (Web Application Security Consortium) works on a project 
called  "Web Application Firewall Evaluation Criteria"  
(http://www.webappsec.org/projects/waf_evaluation/) that aims at defining criteria for 
evaluating and comapring WAFs.
When it's complete, hopefully it would be able to address people's needs and reduce the 
hype levels in the market.

Thanks,
-Amit