work has been keeping me busy lately... first official web app pen work was a coldfusion site, paros falsed a lot, but i managed to get some manual sqli and a few other things... fighting a waf :-\ still gotta bang that out some more and get around to writing the report... ;)
anywho, breach came by the office the other day. talked to the engineer about the technical aspects of their offering, which involves 4 ways of protecting your apps (i don't remember them all). their waf box sits out of line on a span/mirror and does the job via sending resets.
they do some analysis on your production traffic to build what boils down to a pattern matching ruleset for how your app works on the network. "this is always an integer" and "this is always a string w/ no special chars", etc. i'm sure this is understating the tech, but yea...
so that got me thinking, what it someone just has a dork for whatever your vuln is and their only interaction w/ you is the one session where they actually perform the attack, which is prepackaged for your vuln and requires no interaction (ie: recent mass sqli attacks). the WAF doesn't see the full attack until it has analyzed the packet(s), by which time the original copy of the malicious payload is on the nic of your web app server. the reset will come too late.
which brings about one of those other types of protection, which is a client shim in the TCP/IP stack which will inspect the packet for malicious payloads prior to releasing it on up to the application layer. so i guess if a waf is kinda like an ids at the app layer, i guess the breach client is like host ids.... "host web application firewall", better known as a "hwaf" (said w/ lots of throat noises ;)
another feature is that they support some common firewall featureset used so the appliance can request dynamic ruleset changes. i can't recall what it is named, and haven't googled around to find out more about it yet. but that bit got me thinkin about how grossman started combining VA and WAF, so i asked the guy if he'd heard of it and if breach was planning anything in that space. he had no idea, but then he told me this other interesting bit...
he said that now that they had a device monitoring application traffic, people have been realizing that it can be used as an application monitoring / health-check device. watching for broken links, error messages, and basically becoming an analysis and maintenence tool... reminds me of a nms for your application layer... damn nifty, and it makes so much sense... but my response was: be careful, much more of that and you won't be a security company anymore ;)
Saturday, June 28, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment