Our presentation at OWASP Europe in Krakow on Web Application Firewall shortcomings was featured on Darkreading, and Wendel was quoted in the article. Other sites and blogs (such as Heise) also mentioned the presentation. Imperva’s (which happens to be a WAF vendor) blog had some comments about the presentation as well, and in this post I hope to answer some of the claims.

“What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly “bypass” WAFs.”

Unfortunately we had a couple of technical issues that meant that our presentation did not start on time and some of the live demos could not be shown. We had just 30 minutes to present which was not enough. We did perform the demos the next day anyway to a number of people who had some interesting feedback (more on that later). Either way, we mentioned more than two techniques that can lead to a bypass in some of the Web Application Firewalls.

“The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs.”

I do not currently have access to Imperva’s SecureSphere, but aren’t “dynamic profiling and express complex security rules” there to automatically create whitelists? That is what the SecureSphere datasheet and the specifications page implies. If not, can you explain how this works (and also explain express complex security rules)?

Most WAFs by default support blacklist approach and on large complex sites the positive model is not easy to setup or maintain. Making use of learning features of various WAF products is definitely going to help, but does not solve issues such as maintenance. A good question is “what sort of traffic do you use to train your WAF”? A large number of WAFs are configured to make use of the blacklist approach most of the times, even though the positive / whitelist model is supported by the WAF product.

“Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased”

Detection of the WAF is not a major security issue within itself, but is just another step in the reconnaissance stage of an attack.

As for the feedback that we received at OWASP, many of the participants who had first hand experience with Web Application Firewalls agreed that positive model Web Application Firewalls are a pain to maintain. Everyone came to the conclusion that you  need dedicated personnel to maintain a large web application protected by a WAF. That is hardly something that the vendors want you to know.