Sandeep, I understand this WAF or XML Gateway are application security risks mitigation software. But as an application security engineer, how do we test application? we may need to detect and / or bypass the WAF if required during penetration testing. Can you suggest some process if you know already?
Thanks in advance! Regards Amardeep T On Mon, Jul 12, 2010 at 11:25 AM, Sandeep Thakur <[email protected]>wrote: > Good question Phani, > > WAF (protection mechanism for defence in depth) usually is placed at web > server. This solution comes as hardware or software implementation. A sample > WAF placement diagram for your reference: > > User <--> Firewall <--> ISP <--> *Internet *<--> Firewall <--> (WAF) > WebServer <--> Database > > 1) Early versions of WAF were blocking the https traffic if its not > expected or not required scenarios. > > 2) But now, the softwares are capable to decrypt the encrypted traffic > ofcourse with whatever key is required once the trust has been established > between webserver and WAF software. Refer the below software for an eg: > > http://www.breach.com/products/webdefend.html > > To know possibility on how to decrypt https, please refer the another post: > > http://groups.google.com/group/nforceit/browse_thread/thread/53a9af19a9725ada?hl=en-GB_IN > > 3) Further, as you see the reference diagram above, WAF can also be part of > web server itself. There exists multi-layered approach to WAF, which > provides even more advanced protection. Every request or response will be > monitored at every layer. Refer the below tool link: > > http://www.eeye.com/Products/SecureIIS-Web-Server-Security.aspx > > Team, you know more than this can add more to this. Thanks! > > > Regards > Sandeep Thakur > > > > On Mon, Jul 12, 2010 at 9:48 AM, Phani <[email protected]> wrote: > > How a WAF works if the traffic is HTTPS. > > > > > > > > On Mon, Jul 12, 2010 at 9:22 PM, Amar Deep <[email protected]> > wrote: > >> > >> Hi, > >> > >> A WAF is an operational security control which monitors HTTP traffic in > >> order to protect web applications from attacks. > >> > >> The key elements in this definition are: > >> > >> 1)Operational control - a WAF protects applications in real time, rather > >> than hardening them or fixing them in advance. > >> > >> 2)HTTP traffic - a WAF analyzes the traffic between the untrusted client > >> and the web server. > >> > >> 3)Protect web applications - WAFs protect web applications. Mostly > custom > >> written and very dynamic, web applications are in many cases vulnerable > and > >> not well protected by other solutions. > >> > >> Differentiation > >> > >> Only by defining the method used to protect applications, a WAF can be > >> differentiated from other security solutions that inspect traffic, most > >> notably IDS and IPS. To be a WAF, a system should: > >> > >> Have intimate understanding of HTTP - while not of importance by itself, > >> only by fully parsing and analyzing HTTP, breaking it to its elements > >> including headers, parameters and payload, a WAF can effectively perform > the > >> following requirements and avoid evasion. > >> > >> Provide a positive security model - a positive security policy allows > only > >> things know to be valid to go through. This protection mechanism, > sometimes > >> called "white listing" provides an external input validation shield over > the > >> application. Too many web attacks cannot be reliably detected using > >> signatures making a signature only solution not strong enough to protect > web > >> applications. > >> > >> Application layer rules - due to high maintenance cost, a positive > >> security model by itself is not effective enough to protect web > applications > >> and should be augmented by a signature based system. But since web > >> applications are custom, traditional signatures targeting known > >> vulnerabilities are not effective. WAF rules should be generic and > detect > >> any variant of an attack such as SQL injection. > >> > >> Session based protection - one of the biggest downsides of HTTP is the > >> lack of a built in reliable session mechanism. A WAF must complement the > >> application session management and protect it from session based and > over > >> time attacks. > >> Allow fine grained policy management - most notably, exceptions should > be > >> applied to only minimal parts of the application. If a system does not > allow > >> minimal exceptions, false positives force opening wide security gaps. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "nforceit" group. > >> To post to this group, send an email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<nforceit%[email protected]> > . > >> For more options, visit this group at > >> http://groups.google.com/group/nforceit?hl=en-GB. > > > > > > > > -- > > Phani > > > > -- > > > You received this message because you are subscribed to the Google Groups > > "nforceit" group. > > To post to this group, send an email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<nforceit%[email protected]> > . > > For more options, visit this group at > > http://groups.google.com/group/nforceit?hl=en-GB. > > > > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
