Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gfiorav a day ago

I agree. From a product perspective, I would also support the decision. Should we make the rules more complex by default, potentially overlooking SQL injection vulnerabilities? Or should we blanket prohibit anything that even remotely resembles SQL, allowing those edge cases to figure it out?

I favor the latter approach. That group of Cloudflare users will understand the complexity of their use case accepting SQL in payloads and will be well-positioned to modify the default rules. They will know exactly where they want to allow SQL usage.

From Cloudflare’s perspective, it is virtually impossible to reliably cover every conceivable valid use of SQL, and it is likely 99% of websites won’t host SQL content.

krferriter a day ago | parent | next [-]

If your web application is relying on Cloudflare filtration of input values to prevent SQL injection, your web application is vulnerable to SQL injection.

p_ing a day ago | parent [-]

Defense in-depth. I would hope few would want a vulnerable web app and simply protect it via a WAF. But just because your web app is 'invulnerable' doesn't mean you should forgo the WAF.

krferriter a day ago | parent | next [-]

But what is being defended against? This is blocking legitimate user behavior. Would it be defense in depth to also prohibit semicolons or two consecutive hyphen characters in all content? If your app is constructing paths to read from the server's filesystem based on substrings contained within client-provided field values, throwing an error if `"/etc/hosts"` appears in any input is not going to save you.

p_ing a day ago | parent [-]

Unknown or unforeseen attacks. The WAF ruleset can be updated much faster than code. WAFs also provide flexibility in how requests are responded to, or even disallow access from IP ranges, certain browsers, etc.

WAFs do throw false positives and do require adjustments OOTB for most sites, but you’re missing the forest by focusing on this single case.

immibis a day ago | parent | prev | next [-]

My defense in depth blocks Content-Length that's a prime number or divisible by 5. Can't be too safe!

RKFADU_UOFCCLEL a day ago | parent | prev [-]

What? If I construct my queries the right way (e.g., not concatenating strings together like it's the year 1990), then I never will want a WAF "helping" me by blocking my users because they have an apostrophe in their name.

p_ing a day ago | parent [-]

That's a very narrow view of what a WAF does. You may want to review the OWASP ruleset at https://coreruleset.org/. However, this is just the ruleset. WAF vendors usually offer features above and beyond OWASP rule parsing.

And WAF rules can be tuned. There's no reason an apostrophe in a username or similar needs to be blocked, if it were by a rule.

TheDong 12 hours ago | parent [-]

Okay, I'll look at the "coreruleset" which you say is good.

Let's see what's blocked:

"Division by zero" anywhere in the response body since that's a php error. Good luck talking about math ([0] and [1])

Common substrings in webshells, all matched as strings in response bodies, rather than parsing HTML, so whatever, don't comment about webshells either [2]

Unless the body is compressed, in which case don't apply the above. Security [3].

Also, read this regex and tell me you understand what it's doing. Tell me the author of it understands what it matches: https://github.com/coreruleset/coreruleset/blob/943a6216edea...

What the coreruleset is doing here is trying to parse HTML, SQL, HTTP, and various other languages with Regular Expressions. This doesn't work. This will never give you a right result.

It's trying to keep up to date with the string representation of java and php errors, without even knowing the version of Java the server is running, and without the Java maintainers, who constantly add new errors, having any say.

The only reasons attackers aren't evading the webshell rules here trivially is because so few people use these rules in practice that they're not even worth defeating (and it is quite easy to have your php webshell generate unique html each load, which cannot be matched by a regular expression short of /.*/; html is not a regular grammar).

I was ready to see something that made WAFs feel like they did _anything_ based on your comment, but all I see is a pile of crap that I would not want anywhere near my site.

Filtering java error strings and php error strings out of my rust app's responses using regexes to parse html is just such a clown-world idea of security. Blocking the loading of web-shells until the attacker changes a single character in the 'title' block of the output html seems so dumb when my real problem is that someone could write an arbitrary executable to my server.

Every WAF ruleset I've read so far has made me sure it's a huge pile of snake-oil, and this one is no different.

[0]: https://github.com/coreruleset/coreruleset/blob/943a6216edea...

[1]: https://github.com/coreruleset/coreruleset/blob/943a6216edea...

[2]: https://github.com/coreruleset/coreruleset/blob/943a6216edea...

[3]: https://github.com/coreruleset/coreruleset/blob/943a6216edea...

p_ing 4 hours ago | parent [-]

The issue is you're picking out bits and pieces that /seem/ correct to you, but you don't seem to have experience defending a public website from intrusions.

These rules do in fact work. Like I've said previously, these rules require tuning for your particular website. If I'm "talking about math" then I would modify or disable that rule as needed.

I think this is the forest you're missing. WAF isn't "install it and walk away". WAF needs to be tested in conjunction with your release, like any other code would.

The WAF can and does protect against attacks your code would never think of. It also /logs requests/ in a way your web server will not, making it invaluable for auditing.

And when running 3rd party software that has a function you cannot control, but need to prevent, WAFs can do that, too. I have a particular query string that must work from an internal but not external network while external/internal users leverage the same URL -- WAF can do that with a custom rule examining the query string and denying access to the outside world.

Or if I need to prevent [AI] bot scraping. WAF can do that with a couple of clicks.

WAF also unloads the web server from malicious traffic. Instead of having to size up or out a web server, I can have a WAF appliance prevent that traffic from ever reaching the server.

> Every WAF ruleset I've read so far

You don't appear to have any experience with implementation or operation of a WAF, but are attempting to be authoritative and dismiss a WAFs utility.

wat10000 a day ago | parent | prev | next [-]

Sorry, we have to reject your comment due to security. The text "Cloudflare<apostrophe>s" is a potential SQL injection.

gfiorav a day ago | parent [-]

You know, I get the spirit of this criticism. But, specially in the age of AI, we're going to get thousands of barely reviewed websites on Cloudflare.

If you know what you're doing, turn these protections off. If you don't, there's one less hole out there.

wat10000 a day ago | parent | next [-]

In all seriousness, I don't see the justification for blocking "/etc/hosts" but allowing "'". The latter is probably a million times more likely to trigger a vulnerability.

int_19h 7 hours ago | parent | prev [-]

The problem is that people who don't know what they are doing join the cargo cult and then impose these requirements on people who do know what they are doing.

Y_Y a day ago | parent | prev [-]

Why not just whitelist the thousand most common words? That should be good enough for 99% of approriate content, and the smelly nerds who make websites or talk about them can take their tiny market segment and get bent.