Tool Released at Black Hat Contains 150 Ways to Bypass Web Application Firewalls - brubakergoour1986

A tool for testing if Web application firewalls (WAFs) are vulnerable to just about 150 communications protocol-level evasion techniques was released at the Black Hat USA 2010 security conference connected Wednesday.

The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security system vendor Qualys and the original author of the popular ModSecurity Web application firewall.

Net application firewalls are designed to protect Web applications from famed attacks, much arsenic SQL injectant attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing intolerant rules about their formatting and payload.

However, in that respect are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers Oregon the paths of requested URLs. These are known as protocol-level escape techniques, and WAFs are non properly equipped to business deal with them at the consequence because the techniques are non identical well documented, Ristic said.

The investigator time-tested the nonpayment techniques he found primarily against ModSecurity, an open up source Web application firewall, but IT's tenable to assume that other WAFs are under attack to some of them as well.

In fact, Ristic said he divided up a few of the techniques with others during the research present and that they had tested them with success against some commercial WAF products.

Erwin Huber Dohner, head of research and development at Switzerland-founded WAF trafficker Ergon Informatik, confirmed after seeing Ristic's presentation that the nonpayment methods are a trouble for the industry. Ergon recently identified some similar techniques that worked against its product and have addressed them, He aforementioned.

By making his research public, Ristic hopes to kick start a discourse in the industry about protocol-level and former types of evasion. A wiki has also been set up with the use of building a freely available catalog of WAF evasion techniques.

If vendors and security researchers don't document the problems and make them notable, WAF developers will constitute the same mistakes again and again, Ristic said.

In addition, the availability of the testing instrument volition allow users to notice which WAF products are unprotected and hopefully pull down vendors to fix them.

Vendors stimulate various priorities and don't normally fix things unless on that point's a real risk to their customers, Ristic same. This research design will hopefully generate the necessary incentive for them to administer with these issues, He said.

Dohner welcomed the initiative and believes that IT will benefit WAF developers and users alike.

Source: https://www.pcworld.com/article/460183/tool_released_at_black_hat_contains_150_ways_to_bypass_web_application_firewalls.html

Posted by: brubakergoour1986.blogspot.com

Share this post