Thursday, May 14, 2009

Web Application Firewalls Hacked

Researchers Hack Web Application Firewalls

OWASP Europe presentation demonstrates tools that fingerprint the brand of WAF, as well as bypass it altogether

By Kelly Jackson Higgins | DarkReading

A pair of researchers at the OWASP Europe 2009 conference on Wednesday showed how some Web application firewalls (WAFs) are prone to attack.

Wendel Henrique, a member of SpiderLabs (Trustwave's advanced securityteam), and Sandro Gauci, founder and CSO for EnableSecurity, also foundsome WAFs vulnerable to the same types of exploits they are supposed toprotect Web apps from, such as cross-site scripting (XSS) attacks.


The researchers used a tool they developed, called WafW00f, todetect and fingerprint the presence -- and in some cases, the brand --of a WAF running in front of a Web application. A second tool createdby Henrique and Gauci, called WafFun, let them exploit and bypass WAFsrunning in blacklisting and whitelisting modes. With a combination ofWafW00f and WafFun, the researchers are able to execute attacks on theWAF invisibly so they can successfully hack the Web-facing applicationsitting behind it.

Editor's Note:  So let me get this straight...HTTTPS is HTTBS and Firewalls are useless.   4 Questions: 
  • Are you starting to see how unsafe a web browser is? 
  • Are you starting to see why financial transactions SHOULD NEVER be done in a web browser space? 
  • Are you starting to see why HomeATM engineered, patented and manufactures the ONLY PCI 2.0 PED designed for eCommerce use? 
  • Are you starting to see that the 3DES end to end encryption of cardholder data with DUKPT key management is the safest and most secure way to provide consumers and merchants from hackers?      

"If an attacker knows what product and version, it's easy toexploit it. One of the things [WAF] vendors claim is that they[operate] in stealth [mode]," Henrique says. "But in practice, theyhave a lot of different behaviors that they create...and you can usethose behaviors to identify what WAF is in place."

Continue DarkReading


Reblog this post [with Zemanta]

Disqus for ePayment News