Comments on: ESAPI Web Application Firewall released! http://i8jesus.com/?p=96 because arshan's too cheap to license OneNote Wed, 01 Sep 2010 06:10:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: kuza55 http://i8jesus.com/?p=96&cpage=1#comment-26862 kuza55 Sat, 19 Dec 2009 01:11:21 +0000 http://i8jesus.com/?p=96#comment-26862 I have no issues with ESAPI in terms of attack surface, any addition is minimal IMO, but I would never want to put a WAF written in a memory unsafe language in front of a web application written in a memory safe language. Also, I'd read this mail if I were you: http://lists.immunitysec.com/pipermail/dailydave/2009-August/005837.html Even if writing a fuzzer->exploit is out of the range of the attackers you want to prevent, 2k USD is well within the range of someone who wants to make some $$/fuck some shit up, especially given who runs that WAF. That device is hardened a little, but nowhere near as hardened as it should have been. I have no issues with ESAPI in terms of attack surface, any addition is minimal IMO, but I would never want to put a WAF written in a memory unsafe language in front of a web application written in a memory safe language.

Also, I’d read this mail if I were you: http://lists.immunitysec.com/pipermail/dailydave/2009-August/005837.html

Even if writing a fuzzer->exploit is out of the range of the attackers you want to prevent, 2k USD is well within the range of someone who wants to make some $$/fuck some shit up, especially given who runs that WAF.

That device is hardened a little, but nowhere near as hardened as it should have been.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=96&cpage=1#comment-26842 arshan dabirsiaghi Fri, 18 Dec 2009 14:17:44 +0000 http://i8jesus.com/?p=96#comment-26842 I think you misunderstood our usage of egress filtering. A stateful "is-this-user-causing-problems" mechanism is more a theme to the AppSensor project, not the ESAPI WAF. Our usage of egress filtering is watching outbound data for known sensitive data formats, type-I XSS payloads, etc. Yup RE: 0day still being present. Nope RE: better off. Most of the enterprises out there have serious lag time between time to discovery and time to fix. Even sometimes for high risk vulnerabilities I see 40+ days before a patch is delivered. And by the way, there's no guarantee the patch actually fixes the problem and doesn't introduce a new one. RE: attack surface. At layer 8 I think we can firmly conclude that the WAF has the ability to remove more attack surface than it adds, assuming competent operation. For commercial products operating at layer 6/7, they probably do add some limited attack surface, assuming they're all built with native code. I also (possibly wrongly) assume they're running on SELinux/grsecurity/Vista w/ ASLR&DEP/(closest equivalent for their OS). The cost of exploit development in a platform like that is higher than most classes of attackers can afford technically or financially. But anyway, there's for other companies to deal with, it's not a problem I have. =) The WAF is for development teams mature in the world of application security. It's strictly intended for virtual patches. Whether its used appropriately I can't control. The bottom line, to me, is that I would want this as an application owner. It gives me short term solutions that I didn't have before. I think you misunderstood our usage of egress filtering. A stateful “is-this-user-causing-problems” mechanism is more a theme to the AppSensor project, not the ESAPI WAF. Our usage of egress filtering is watching outbound data for known sensitive data formats, type-I XSS payloads, etc.

Yup RE: 0day still being present. Nope RE: better off. Most of the enterprises out there have serious lag time between time to discovery and time to fix. Even sometimes for high risk vulnerabilities I see 40+ days before a patch is delivered. And by the way, there’s no guarantee the patch actually fixes the problem and doesn’t introduce a new one.

RE: attack surface. At layer 8 I think we can firmly conclude that the WAF has the ability to remove more attack surface than it adds, assuming competent operation.

For commercial products operating at layer 6/7, they probably do add some limited attack surface, assuming they’re all built with native code. I also (possibly wrongly) assume they’re running on SELinux/grsecurity/Vista w/ ASLR&DEP/(closest equivalent for their OS). The cost of exploit development in a platform like that is higher than most classes of attackers can afford technically or financially. But anyway, there’s for other companies to deal with, it’s not a problem I have. =)

The WAF is for development teams mature in the world of application security. It’s strictly intended for virtual patches. Whether its used appropriately I can’t control.

The bottom line, to me, is that I would want this as an application owner. It gives me short term solutions that I didn’t have before.

]]> By: kuza55 http://i8jesus.com/?p=96&cpage=1#comment-26798 kuza55 Thu, 17 Dec 2009 12:20:03 +0000 http://i8jesus.com/?p=96#comment-26798 To be honest, the only part of a WAF I would be concerned about is egress filtering, it's a little hard to test custom webapps without ever triggering an error. You could limit yourself to a subset of test you're pretty sure wouldn't cause an error and try to detect weird app behaviour, but that can be a pain. The reason virtual patches don't worry me so much is because the worst case is the attack gets blocked; I don't lose my 0day in your webapp, because, well, you already know about it. Egress filtering & general rules mean I can be worse off than if you didn't have a WAF and had just patched the vuln. Also, if there's a WAF between me and the target, I'd bet on me getting through. Also, your "Is criticism stupid?"-ometer should probably meet a friend of mine called reliable heap overflow. Seriously. Obviously this isn't so much of a problem for ESAPI as it is for other products, but it doesn't make the criticism stupid. To be honest, the only part of a WAF I would be concerned about is egress filtering, it’s a little hard to test custom webapps without ever triggering an error. You could limit yourself to a subset of test you’re pretty sure wouldn’t cause an error and try to detect weird app behaviour, but that can be a pain.

The reason virtual patches don’t worry me so much is because the worst case is the attack gets blocked; I don’t lose my 0day in your webapp, because, well, you already know about it. Egress filtering & general rules mean I can be worse off than if you didn’t have a WAF and had just patched the vuln. Also, if there’s a WAF between me and the target, I’d bet on me getting through.

Also, your “Is criticism stupid?”-ometer should probably meet a friend of mine called reliable heap overflow. Seriously.
Obviously this isn’t so much of a problem for ESAPI as it is for other products, but it doesn’t make the criticism stupid.

]]> By: Mr. Huddle: The Easiest Way To Keep Up With Your Communities http://i8jesus.com/?p=96&cpage=1#comment-25428 Mr. Huddle: The Easiest Way To Keep Up With Your Communities Wed, 18 Nov 2009 08:20:30 +0000 http://i8jesus.com/?p=96#comment-25428 [...] | The-iBlog The-iBlog - Your source for iPhone and Apple news and help. 2 Likes ESAPI Web Application Firewall released! « omg.wtf.bbq. 2 Likes Yfrog - g0gm - Uploaded by rogueclown YFrog - Share your images and [...] [...] | The-iBlog The-iBlog – Your source for iPhone and Apple news and help. 2 Likes ESAPI Web Application Firewall released! « omg.wtf.bbq. 2 Likes Yfrog – g0gm – Uploaded by rogueclown YFrog – Share your images and [...]

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=96&cpage=1#comment-25321 arshan dabirsiaghi Mon, 16 Nov 2009 15:32:08 +0000 http://i8jesus.com/?p=96#comment-25321 updated the post, sorry! updated the post, sorry!

]]> By: Erwin Geirnaert http://i8jesus.com/?p=96&cpage=1#comment-25299 Erwin Geirnaert Mon, 16 Nov 2009 09:10:10 +0000 http://i8jesus.com/?p=96#comment-25299 Hi Arshan, Where are the slides? Best regards, Erwin Hi Arshan,

Where are the slides?

Best regards,

Erwin

]]>