'Re: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2009-001 and EnableSecurity Advisory'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2009-001 and EnableSecurity Advisory
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2009-05-30 20:56:10
Message-ID: 004401c9e169$59119530$010000c0 () ml
[Download RAW message or body]

Hello Robert!

> I don't usually allow advisory posting to the list

Yes, it's correct decision. There are many other lists, which publish
advisories, better to post in WASC Mailing List only interesting things
(including interesting advisories), for example my researches/advisories
about vulnerabilities in search engines (http://websecurity.com.ua/3102/).
Concerning my researches of URL Spoofing attacks in browsers and search
engines, I'll write to the list soon about new method of URL Spoofing
attacks which I called URL Hiding (which I published today at my site).

But this advisory was interesting. Besides I'm not reading other security
lists, only this one, so due your decision to post it, I have possibility to
read about this issue with Armorlogic's WAF :-).

In this advisory was published two interesting bypass methods: using extra
characters in script close tag and using URL-encoded new line character.
I added them to my list of WAF bypass methods, to check them in any WAF 
which I'll meet in the Web.

>From 2006 I have created a lot of different WAF bypass methods (as for XSS,
as for SQL Injection and others attacks) - in all those WAFs which I found
at different sites in Internet. In some cases name of the WAF was unknown,
in other cases it was very looks like ModSecurity. I have plans to write
series of articles about bypassing WAF, just need to find time for that
(didn't find yet from 2006).

And I never wrote any advisories about holes in WAF's rules - i.e. about
bypassing WAF. All WAFs have incomplete rules (which always need to be
updated), so it's normal behavior. Every WAF can be bypassed in one or
another attack (especially in case of XSS attacks, which are very
multifarious).

More interesting are vulnerabilities in WAF software itself. E.g. in last
years there were published advisories about XSS and other vulnerabilities in
WAF, like DoS in ModSecurity (http://www.milw0rm.com/exploits/8241). For
example in April 2008 I found 5 vulnerabilities in dotDefender WAF (in it's
component dotDefender-Monitor), when fluently looked on it (was planning to
check it in detail, but it not happened). Some time I will disclose them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

From: robert@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory
TWSL2009-001 and EnableSecurity Advisory ES-20090500
Date: Tue, 19 May 2009 20:10:13 -0400 (EDT)


> I don't usually allow advisory posting to the list, but since this was
> a WAF/Load balancer issue I thought it was worth letting through.
>
> - Robert
> Moderator of The Web Security Mailing List
> http://www.webappsec.org/ 



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic