'Re: No WAF detected - Solved'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: No WAF detected - Solved
From:       Kihaguru Gathura <pqscript () gmail ! com>
Date:       2019-12-27 19:40:48
Message-ID: CAPggWJ8SdNYbCCUkwp+aDD3_r4xxmoWZQ6XR1oFzXdkLR+f65A () mail ! gmail ! com
[Download RAW message or body]

Hi,

WAF is detected when certain methods are filtered in relayd.

Thanks,

Kihaguru.




On Monday, December 9, 2019, Kihaguru Gathura <pqscript@gmail.com> wrote:
> 
> 
> Hi,
> A message form assessors and further tests below.
> 
> 
</mail/u/1/s/?view=att&th=16ee9e8c520462f2&attid=0.1&disp=emb&realattid=ii_k3y7kgeo0&zw&atsh=1>

> 
> 
> I have configured relayd to serve a single url that accepts no
parameters. This url is blocked by relayd with error 403 Forbidden if
anything is appended to its end.
> I would expect WAF detection in such a test case but this has not
happened.
> what other means are malicious payloads being delivered in this case?
> 
> Thanks and regards,
> Kihaguru
> 
> 
> 
----------------------------------------------------------------------------------------------------------------------------

> 
> # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
> #
> # Relay and protocol
> #
> http protocol httpp {
> return error
> match response header remove "Server"
> 
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
> }
> 
> relay httpr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8080
> protocol httpp
> 
> # Forward to the original target host
> forward to destination
> }
> 
> http protocol httpsp {
> return error
> match response header remove "Server"
> 
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
> 
> tls keypair example.net
> }
> 
> relay httpsr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8443 tls
> protocol httpsp
> 
> # Forward to the original target host
> forward with tls to destination
> }
> 
---------------------------------------------------------------------------------------------------------------------------

> 
> On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson <stu@spacehopper.org>
wrote:
> > 
> > On 2019/12/05 00:17, Kihaguru Gathura wrote:
> > > 
> > > 
> > > 
> > > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscript@gmail.com>
wrote:
> > > 
> > > 
> > > 
> > > > > Which is a better way to implement a WAF on OpenBSD using
the base utilities?
> > > > 
> > > > relayd configured in certain ways might be considered as a
WAF.
> > > 
> > > 
> > > All methods and all other security headers and path filters are
coded in the web
> > > application which had always been detected as a custom WAF until
two weeks ago.
> > > 
> > > I have now included relayd and a re-test passes all other
requirements but does not detect
> > > a WAF (please find sample configurations and test report below).
> > > 
> > > Any hint highly appreciated
> > 
> > I think you will need to talk to your assessors and ask what they're
looking for.
> > 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic