You are referring to a certain WAF technology, not to WAFs in general. A WAF
should certainly not block a single quote by default.
WAFs have gone a long way in the 10 years they exist. I personally believe
that real time app sec controls are absolutely necessarily to protect web
applications. If the technology available at the time you looked into it was
not good enough, it might be good enough today, and if still not suitable
for a specific application today, it will be tomorrow.
~ Ofer
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Henry Troup
Sent: Sunday, January 13, 2008 7:03 PM
To: Ivan Ristic; B Snake
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?
For a while, I had the unpleasant experience of having a customer-support
forum behind a WAF set for certain kinds of blocking. The result was that
single quotes - such as "I can't make this work" - got postings rejected.
Now obviously, that's the kind of thing you want to configure out. But
until you do, it's absolutely painful and embarassing.
Henry Troup
htroup@acm.org
----- Original Message -----
From: "Ivan Ristic" <ivan.ristic@gmail.com>
To: "B Snake" <bsnak3@gmail.com>
Cc: <websecurity@webappsec.org>; <webappsec@securityfocus.com>
Sent: Sunday, January 13, 2008 4:54 AM
Subject: Re: [WEB SECURITY] Deploying WAFs In Listening-Only Mode - Waste of
Money?
On Jan 12, 2008 3:55 PM, B Snake <bsnak3@gmail.com> wrote:
It seems like 90+% of companies that implement WAFs deploy them in
listening-only mode and don't do any blocking for fear of false positives
cutting off legitimate user activity.
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
