Experts to Demonstrate Vulnerabilities in Commercial Web Application Firewalls
CHICAGO (May 12, 2009) - Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world, will deliver a briefing at OWASP AppSec Europe, 13-14 May, 2009. Wendel Henrique, a member of SpiderLabs, the advanced security team at Trustwave responsible for incident response and forensics, ethical hacking and application security, will conduct the briefing along with Sandro Gauci of EnableSecurity.
The presentation will examine the security effectiveness of Web Application Firewalls (WAFs), the next generation product that protects Web sites from application level attacks such as Cross Site Scripting and SQL injection. WAFs inspect every request sent and received from a Web Server, parsing, decoding and analyzing all requests for potential attacks. Depending on the set of rules applied by the WAF, it will either log an attack or block it. WAFs are either software or hardware and are typically installed in front of a Web server in an effort to try and shield it from incoming attacks.
Through continuous research, Henrique and Gauci have determined that many commonly used Web Application Firewalls are themselves vulnerable to hacking. The result of studying different WAF products, methodologies and technologies, has created generic and specific techniques to detect, identify, bypass and even exploit these systems.
Using this research, Henrique and Gauci created "WafW00f," a tool that applies their research and automates the process of identifying WAFs. WafW00f can precisely identify 20 different brands of WAFs and detect if they are in reactive mode. A second tool they've created, "WafFun," allows them to bypass and exploit WAF systems. Together, their tools allow them to identify the traffic blocked by the WAF and modify their attacks in a way that is completely blind to the WAF system, enabling the exploitation of the Web-facing application.
Consequently, if the WAF system is circumvented then the Web application is returned to a state prior to the installation of the WAF. If an attacker is able to exploit a flaw in the WAF, the attacker can take complete control of the system, resulting in disabled rules, copying of local files, and using the WAF system to launch further attacks.
During their presentation, Henrique and Gauci will use WafW00f, WafFun and other original tools to detect, bypass and exploit commercial WAF systems, showing first-hand the vulnerabilities associated with these systems.
"In theory, Web Application Firewalls should work transparently, preventing an end user or attacker to know they are in place, but improper configuration leaves signs that allow detection and identification of these systems," says Robert J. McCullen, chairman and CEO of Trustwave. "With the increase in Web application attacks, organizations have to be certain that their environment is secure and cannot leave any vulnerabilities, known or unknown, for attackers to exploit."
"Web application firewalls try to protect poorly written applications from attacks proving highly ineffective if the WAF fails or can be detected by the attacker," says Nicholas Percoco, vice president and head of SpiderLabs for Trustwave. "Application code reviews or penetration tests should always be performed to identify the problems outright. A WAF can be used to buy time for developers while fixes are implemented, but should never be seen as the final destination in a secure development lifecycle."
About Trustwave
Trustwave is a leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions including SIEM , WAF , EV SSL certificates and secure digital certificates . Trustwave has helped hundreds of thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com/en-us/.
