WebApp Sec mailing list archives
Re: WAF functionality ala OWASP London Meeting
From: "Michael Silk" <michaelslists () gmail com>
Date: Thu, 4 May 2006 09:49:26 +1000
... what? the WAF is set up at the server side, so the request has already been sent and received. Too late for the WAF to say "well I won't deliver this to the page, as it's visible in the URL ..." Or do you mean to stop GET for some other reason? Or are you asking the WAF to re-write the html presented by the webserver so that <form method="get"> becomes <form method="post"> where action="authenticationPage" ? -- Michael On 5/4/06, Eoin <eoinkeary () gmail com> wrote:
Hello WAF Vendors, After discussing this with Dinis (Mr Cruz)....... Is there any way to disable HTTP GET requests for authentication pages in any of the current application security firewall offerings? Many applications I review accepts authentication via GET and POST, I don't want GET to work, can you of the cu rent firewalls prevent certain HTTP methods for particular URL's (context sensitive rules)??? To make things a little more difficult, In the case of .NET, postbacks would be used also so its not always as simple as blocking a URL with a certain HTTP method, as the home page URL may be the same as the "submission" URL. What direction would your App Layer firewalls go to solve this problem. Many vendors say "don't trust developers, use our product instead", well OK I wont trust the developer here, can any of your tools do this? Thanks, Eoin -- Eoin Keary OWASP - Ireland
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- WAF functionality ala OWASP London Meeting Eoin (May 03)
- Re: WAF functionality ala OWASP London Meeting Michael Silk (May 03)
- Re: WAF functionality ala OWASP London Meeting Jason (May 04)
- <Possible follow-ups>
- RE: WAF functionality ala OWASP London Meeting Omar Salvador Alcalá Ruiz (May 03)