| ▲ | mystifyingpoi a day ago | ||||||||||||||||||||||||||||||||||||||||||||||||||||
No one expects any WAF to be a 100% solution that catches all exfiltration attempts ever, and it should not be treated this way. But having it is generally better than not having it. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | Macha a day ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
> But having it is generally better than not having it. The problem is that generally you're breaking actual valid use cases as the tradeoff to being another layer of defense against hypothetical vulnerabilities. Yes, discussing the hosts file is a valid use case. Yes putting angle brackets in the title of your message is valid use case your users are going to want. Yes putting "mismatched" single quotes inside double quotes is a thing users will do. Yes your users are going to use backslashes and omit spaces in a way that looks like attempts at escaping characters. (All real problems I've seen caused by overzealous security products) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | simonw a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
"But having it is generally better than not having it." I believe the exact opposite. One (of many) reasons is that it can make your code less secure, by hiding your security mistakes from you. If your WAF obscures escaping issues during your own testing and usage you could very easily let those escaping issues go unresolved - leaving you vulnerable to any creative attacker who can outsmart your WAF. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | paxys a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
> But having it is generally better than not having it. So is HN and every other site in the world insecure because it allows users to post "/etc/hosts" ? | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | rcxdude a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Is it? The WAF is also now an attack surface itself, and I don't think WAFs have exactly proven themselves as something that meaningfully increases security. They certainly break things unpredictably, though. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | wavemode a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
No, that logic doesn't follow. If your application is so hopelessly vulnerable as to benefit from such naive filtering of the text "/etc/hosts, then your application is still going to be vulnerable in precisely the same ways, with just slightly modified inputs. It is net zero for security and net negative for user experience, so having it is worse than not having it. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | smallnix a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Dropping 0.5% of requests will prevent even the most sophisticated attacks (think APT!). Sometimes. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | wyager a day ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
> But having it is generally better than not having it. Why? It obviously has an annoying cost and equally obviously won't stop any hacker with a lukewarm IQ | |||||||||||||||||||||||||||||||||||||||||||||||||||||
