This weekend a heated debate fired up on the WebAppSec mailing list. Jeremiah Grossman happened to spark it with a merely innocent short question "Anyone want to make an open source WAF fingerprinter?"
Turning the question around as happens in these bonfire circles the basic question becomes whether it is necessary that a Web Application Firewall (WAF) actually hide its identity.
Actually, I don't even grant this a fruitful discussion. Most of the thread participants agree that the worst kind of security is security by obscurity. So having any kind of discussion regarding obscuring the fact that there is a WAF, and which kind of WAF is deployed, is just painfully useless. A security analogy which comes to mind is encryption. It would be as if an e-vendor hides the fact that they use AES-256 for encryption purposes rather than proudly displaying the usage of this standard.
And even more to the point, it is possible to fingerprint any network device, granted that the device is active (and needless to say, an inactive WAF is not a WAF). Which actually means that when the response to a request, or a series of requests, is different than the expected response returning from the target server, then obviously there must be some sort of inline security device. And since devices by different vendors behave differently, then of course it is possible to differentiate between the different devices.
Andres Riancho actually dies the fire somewhat on this one when he provided the algorithms for the detection of the different WAFs.
I guess we'll just have to wait around the fire (-wall) until we get around to those real spooky stories.
- Amichai
Leave a comment