WebApp Sec mailing list archives

Re: WAF functionality ala OWASP London Meeting

From: "Michael Silk" <michaelslists () gmail com>
Date: Thu, 4 May 2006 09:49:26 +1000

... what?

the WAF is set up at the server side, so the request has already been
sent and received. Too late for the WAF to say "well I won't deliver
this to the page, as it's visible in the URL ..."

Or do you mean to stop GET for some other reason?

Or are you asking the WAF to re-write the html presented by the
webserver so that <form method="get"> becomes <form method="post">
where action="authenticationPage" ?

-- Michael


On 5/4/06, Eoin <eoinkeary () gmail com> wrote:

Hello WAF Vendors,

After discussing this with Dinis (Mr Cruz).......

Is there any way to disable HTTP GET requests for authentication pages
in any of the current application security firewall offerings?

Many applications I review accepts authentication via GET and POST, I don't
want GET to work, can you of the cu rent firewalls prevent certain
HTTP methods for particular URL's  (context sensitive rules)???

To make things a little more difficult,

In the case of .NET, postbacks would be used also so its not always as
simple as blocking a URL with a certain HTTP method, as the home page
URL may be the same as the "submission" URL.

What direction  would your App Layer firewalls go to solve this
problem. Many vendors say "don't trust developers, use our product
instead", well OK I wont trust the developer here, can any of your
tools do this?

Thanks,
Eoin

--
Eoin Keary OWASP - Ireland


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------

Current thread:

WAF functionality ala OWASP London Meeting Eoin (May 03)
- Re: WAF functionality ala OWASP London Meeting Michael Silk (May 03)
- Re: WAF functionality ala OWASP London Meeting Jason (May 04)
- <Possible follow-ups>
- RE: WAF functionality ala OWASP London Meeting Omar Salvador Alcalá Ruiz (May 03)