Amit,
I feel that the WAF in this case would increase the likelihood of a
HTTP smuggling attack as it participates in the flow, and more than
likely interprets HTTP requests differently than pretty much
everything else out there. If they RST'd dodgy connections and left
alone all others, then maybe these devices serve a purpose, but if
it's a re-writing proxy, it has to affect the flow.
<rant = on>
I have been struggling with the point of "security" HTTP proxies
recently in several of the projects I've been involved with. The
projects were infected by sales people who say "Buy this widget, and
all your security problems are over". Nothing could be further from
the truth. I recently lost a battle to remove a virus scanning web
proxy on a private leased line which transmitted XML provided by MQ
Series. The impetus to buy useless things to solve non-existent
problems is troubling.
In my view, unless a proxy understands the underlying data and pages,
or XML DTDs if it is looking at SOAP requests, I feel the additional
burden of the proxies is rarely worthwhile and just adds one more
component which may be abused.
</rant>
Security vendors should perform strict conformance testing and make
those results available to potential customers. Something like the
old IPsec and cache bake offs or industry certification that these
devices are truly RFC compliant would be nice.
Andrew
On 22/06/2005, at 6:24 AM, Amit Klein (AKsecurity) wrote:
Yesterday, NetContinuum announced
(http://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=52)
that their NC-1000
Application Security Gateway protects against HTTP Request Smuggling.
I find this weird. The essence of HTTP Request Smuggling
(http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) is
that two HTTP-aware
devices (e.g. web server and cache/proxy server) interpret the data
stream differently.
