So, instead of people asking for responses about particular WAFs, I thought it might be better (and more amusing) to simply list the WAFs we know how to bypass, or have actual vulnerabilities in/exploits for.

Now, I realise everyone's a hippy and wants their free info, but I don't want to be awfully specific about the exact vulnerabilities, so you're going to have to take this on faith.
If anyone wants to post details, I can't stop you, but (as much as this seems to be acceptable development methodology) I'm not planning on posting details here so that WAF vendors can go do spot-fixes and keep claiming their stuff is secure because there are no known bypasses.

Feel free to chime in with a product you have a bypass for (for a common situation, e.g. generic filter evasion (aka, this WAF might as well not be there), or generic directory traversal filter evasion, etc) or have a vulnerability in (please don't post things like reflected xss/csrf in the management interface, scout's honour and all), even if it's been listed before, this way people can get a feeling for how common the knowledge is too.



So, without further ado, let me introduce WAFs I personally know are useless (or worse):

F5 ASM

Imperva's WAF (sorry, forgot the name)

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

While I hate most WAFs, it's funny I think F5's is the best out of all of them. Sucks out of the box, but if you spend a week configuring you can get a shitload of functionality out of it.

I can't say the same for Imperva or Breach.

-id

* modsecurity - http://www.modsecurity.org/g/ms25-illustration.jpg - no need to proove anything.. STH: 5 secs demoed at blackhat

* CISCO ACE - http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps9586/images/data_sheet_c78-458627-1.jpg STH: 30 secs demoed at blackhat, just lame

* dotDefender - http://www.applicure.com/images/newdot.jpg this one tried to spam in this forum :( http://sla.ckers.org/forum/read.php?21,28822 .. STH: 30 secs demoed here in the forum

:)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 3 time(s). Last edit at 11/03/2009 03:32AM by sirdarckcat.

Oh, I almost forgot!

* OSSEC - http://www.ossec.net/img/ossec_logo.jpg no comments, STH: 5 secs

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

dotDefender STH 30 secs also

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I don't think it's fair at all to call OSSEC a WAF, that's not at all what it was designed to be.

Also, if this post is about how each product is configured out of the box, then it's pointless. There's not a single security product I can think of that has much value without being configured and secured by a competent technical person.

-id

@id well, they do have Anti-XSS rules.. and you can use it as a WAF..

http://www.ossec.net/wiki/Cases#Mraju_at_.2Fmuraliraju.info_.282007_Jul.29

I think the same principle applies with Snort, but I haven't actually checked snort rules, so I can't say I can h@ck it

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 11/03/2009 09:37AM by sirdarckcat.

id Wrote:
-------------------------------------------------------
> I don't think it's fair at all to call OSSEC a
> WAF, that's not at all what it was designed to
> be.
>
> Also, if this post is about how each product is
> configured out of the box, then it's pointless.
> There's not a single security product I can think
> of that has much value without being configured
> and secured by a competent technical person.

I'm not sure what others are posting, but the two I named either have serious issues that configuration cannot fix.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

I haven't looked at any WAFs in detail for a while, though I have one of my guys working on Breach and it has had a lot of issues, though they've just released a new version we're looking at.

I do have an F5 sitting in the server room turned off, I'll install the latest version of ASM and see how it compares to the last time I looked ~15 months ago.

If your issues are related to the admin interfaces, then they can be fixed by securing the admin interface at the network/browser level (same can be said for most of the worthless web interfaces out there).

-id

id Wrote:
-------------------------------------------------------
> If your issues are related to the admin
> interfaces, then they can be fixed by securing the
> admin interface at the network/browser level (same
> can be said for most of the worthless web
> interfaces out there).


Not related to the admin interface in any way, though I probably would have said a persistent XSS in the admin interface that can be triggered via traffic to the website it's meant to be protecting as a killer in most environments.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]