Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

WAF learning ability limitation?

from [matt farey] Network Security [Permanent Link]
Subject: WAF learning ability limitation?
Date: Fri, 19 May 2006 18:04:25 +0100 
Hi,

I listened to the recent London WAF mp3s. Thanks for those!

One thing I heard was that the WAFs worked in two main ways:
1. specific input parameters (input fields) policies to defend against
particular vulnerabilities, and more generally they were
2. learning what users put into input boxes and could form their own
dynamic reg exp protection.

But can a dynamic website which generates randomly named input fields be protected? Perhaps Fortify would more easily be able to link in
with this type of application specific code as it hooks into the app logic. In other words, if the form input fields have un-guessable randomly changing names, resulting in randomly changing parameters that need to be checked against reg exp policies, could a WAF cope?

The app was designed this way to enforce work flow, and control the GET-POST (rather than just POST, POST....) cycle, to stop scraping and other "remote/off-site" POST attacks. A back-end heap/memory table was used to keep track of the (pseudo-hash) <> (input field parameter name) mappings. The attacker had to keep coming back for more valid names before submitting more carefully crafted garbage.

Perhaps this is just a silly eccentric solution and never likely to be
used in the real world.

matt



--form example (response 1)--

<form method="post">
<input type="text" name="input_KL23JgrtIsuqwKjh5cTgt" />
<input type="test" name="input_KNi5s4TgfR5GkUYdk09" />
<input type="submit" value="submit" />
</form>

--form example (reponse 2) - after page refresh/post--

<form method="post">
<input type="text" name="input_Ksdg3r5XI7u86Dwjhdscyjljgt" />
<input type="test" name="input_asfsdgyuXkl78dr54GdrfgdF09" />
<input type="submit" value="submit" />
</form>

etc...




-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: http/spnego connections, Adam Tuliper
Next by Date:  RE: Non SSL Bank Login Forms, James Strassburg
Previous by Thread:  RE: Comparison report on web app security scanners, Mark Curphey
Next by Thread:  Re: Comparison report on web app security scanners, solutions_PHP
Indexes:  [Date] [Thread] [Top] [All Lists]