My WAF went W00F!
We have finally made it this week into Mathieu Dessus'slist of fingerprinted WAFs. Wow!
You're probably wondering by now what is this list and why should you care about it? Well, let me tell you all about it.
Dessus created a tool that tries to detect what kind of web application firewall is used for protecting an application. It does that by sending an attack vector and testing response and comparing it with the default behavior demonstrated by the different WAFs to which Dessus had access. One could argue about the effectiveness of such technique in real world where people tend to change the default behavior of their devices but my point is totally different here.
We at Imperva are actively engaged in various efforts aimed at providing a standard baseline for testing the security of a WAF. In none of them fingerprinting has been raised as issue. Why is that? Because fingerprinting is a relic of the past. It's a tribute to the dark ages of security by obscurity when people used "obfuscation" instead of encryption and relied on their adversary not knowing the exact brand of web server they are using.
There were times when it made some sense. Hacking was mostly a manual process carried out by a few chosen ones, bandwidth for attackers was scarce and computing resources were very costly. Hacking in general was an expensive time consuming process and therefore attackers were first trying to "fingerprint" the targeted system and apply only those attack vectors that may seem relevant to it.
Nowadays, hacking looks completely different. Bandwidth and computing resources available for the simplest of home setups are abundant. Attack tools exist that would scan a server for thousands of vulnerabilities in a matter of seconds. Moreover, hacking today is completely industrialized and for the most parts it does not involve manual intervention during the attack phase. Hackers abuse hundreds of thousands of zombies, hooked up to a bot net in order to automatically scan and attack their targets. Adding fingerprinting capabilities and conditional execution only complicates the attack code, making it less robust, with no real value for the attacker.
Yes, from time to time individual hackers come up with new methods to bypass security devices. Sometimes they just manage to bypass a device, not even caring what type of device it is. Sometimes they get direct access to a device and manage to come up with specific evasion techniques. Once they have the new technique, it is quickly incorporated into the entire scan database and used during massive scans regardless of whether it is required or not.
To sum things up, I do appreciate researchers taking their time to test the security provided by different WAF solutions. I just wish they would focus their efforts on today's challenges rather than yesterday's.
- Amichai
Hi,
Just to clarify some other points,
- Fingerprinting is necessary to assessements and tools too. That's why I think mathieu is right on making some patch to wafw00f for improving on detect securesphere.
- If you're better proud, you want to work with other men ding some research to give them access to "live" systems to
- making some responsible "research on tools to hack"
- improve you're products
It's what I do on some other WAF vendor who understand why it is important to have this kind of tools
S.
Hello Amichai,
just to clarify a few points:
- I am not the author of Wafw00f, I just submitted a patch to Wafw00f.
- Yes, fingerprinting is nothing spectacular, and I never pretended the opposite.
- I (partially) disagree with you about hacking automation. Even if tools exist for application assessment, tools can't be as accurate as human.
Anyways, if an application or a network device can be identified, this means nothing about the product quality.
Mathieu Dessus.