« How good is client-side support for RC4? | Main | CRIME: Information leakage attack against SSL/TLS »

Protocol-level evasion of web application firewalls

July 25, 2012

Web application firewalls have come a long way from their modest beginnings more than a decade ago. They are now an accepted security best practice and have a significant role in compliance. But there is still a lot left to do before they can unlock their full potential.

There is one aspect in particular that interests me a great deal, and that is the ability of end users to verify the operation of WAFs and measure their technical quality. Understandably, vendors are reluctant to talk about the weaknesses in their products. However, understanding the weak points is critical for effective deployments. We cannot claim to have achieved any level of security otherwise. As always with these things, we should assume that our adversaries already know about those weaknesses; but how can we know too? Simple, by forcing the issue out in the open.

Today at Black Hat we (Qualys) are announcing a new research project on protocol-level evasion of web application firewalls. This type of evasion focuses on the low level operation of WAFs, aiming to exploit little differences in how WAFs see traffic and how backend web servers and applications see it. If you get the WAF to see something different from what the backend is seeing, you have an evasion opportunity that could possibly be used to execute any attack type, without detection.

I spent a great deal of effort on protocol-level evasion in my years of working on ModSecurity (an open source web application firewall I started in 2002, and worked on until 2009). I imagine all WAF manufacturers spend a lot of effort in this area, yet this topic is seldom discussed in public. It is our aim to change this. Our focus on protocol-level evasion is part of our work on IronBee, a new open source web application firewall we are building at Qualys.

Attached to this post is our research paper that focuses on request path, parameter, and multipart/form-data evasion. Also attached are the Black Hat talk slides that introduce the research. The testing suite (a sort of a research toolkit) is in the IronBee WAF Research repository on GitHub.