Week of War on WAF's: Day 3 -- Language specific
This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang:
[...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that different layers of protection [are] always a good idea to get at least close to a status that can considered to be secure.
In christ1an's post, The real effectiveness of current WAF, he speaks rather positively about WAF technology, but ends on a rather sour note:
[...] these solutions are actually doomed to fail by design [...] unless a Web application firewall is implemented exclusively for a specific language, it is very likely to be insecure and therefore using them should be well considered.
He makes some interesting points that you should certainly check out. Best -- this jives with what Fortify research on dynamic taint propagation discussed in their recent OWASP AppSec EU 2008 presentation, ` <http://www.owasp.org/index.php/AppSecEU08_The_Dynamic_Taint_Propagation_Finding_Vulnerabilities_Without_Attacking>`_Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking [PPT]-- and paper, Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output [PDF].
christ1an seems positive about Mario Heiderich's PHPIDS Monitoring attack surface activity [PPT] web application attack `detection' work (also presented at OWASP AppSec EU 2008). Fortify, on the other hand, seemed bullish on the CORE GRASP attack `prevention' project (also for PHP).
With regards to XSS and SQL injection attacks, this work is nice because as some of us know -- neither attack is primarily about input validation. SQL injection is a software weakness that can be prevented through parameterized queries with binding of all variables (thanks, Jim Manico, for this verbiage). Cross-site scripting (and particular variations such as HTML/CSS/JS injection) is a software weakness that can be prevented by output encoding (although for exhaustive methods, check out the work by Arshan Dabirsiaghi in the OWASP AntiSamy Project).
Now if we could only start to talk about the other 600+ software weaknesses and their root-causes and strongest defense strategies.blog comments powered by Disqus