| ▲ | p_ing a day ago | |||||||
That's a very narrow view of what a WAF does. You may want to review the OWASP ruleset at https://coreruleset.org/. However, this is just the ruleset. WAF vendors usually offer features above and beyond OWASP rule parsing. And WAF rules can be tuned. There's no reason an apostrophe in a username or similar needs to be blocked, if it were by a rule. | ||||||||
| ▲ | TheDong 12 hours ago | parent [-] | |||||||
Okay, I'll look at the "coreruleset" which you say is good. Let's see what's blocked: "Division by zero" anywhere in the response body since that's a php error. Good luck talking about math ([0] and [1]) Common substrings in webshells, all matched as strings in response bodies, rather than parsing HTML, so whatever, don't comment about webshells either [2] Unless the body is compressed, in which case don't apply the above. Security [3]. Also, read this regex and tell me you understand what it's doing. Tell me the author of it understands what it matches: https://github.com/coreruleset/coreruleset/blob/943a6216edea... What the coreruleset is doing here is trying to parse HTML, SQL, HTTP, and various other languages with Regular Expressions. This doesn't work. This will never give you a right result. It's trying to keep up to date with the string representation of java and php errors, without even knowing the version of Java the server is running, and without the Java maintainers, who constantly add new errors, having any say. The only reasons attackers aren't evading the webshell rules here trivially is because so few people use these rules in practice that they're not even worth defeating (and it is quite easy to have your php webshell generate unique html each load, which cannot be matched by a regular expression short of /.*/; html is not a regular grammar). I was ready to see something that made WAFs feel like they did _anything_ based on your comment, but all I see is a pile of crap that I would not want anywhere near my site. Filtering java error strings and php error strings out of my rust app's responses using regexes to parse html is just such a clown-world idea of security. Blocking the loading of web-shells until the attacker changes a single character in the 'title' block of the output html seems so dumb when my real problem is that someone could write an arbitrary executable to my server. Every WAF ruleset I've read so far has made me sure it's a huge pile of snake-oil, and this one is no different. [0]: https://github.com/coreruleset/coreruleset/blob/943a6216edea... [1]: https://github.com/coreruleset/coreruleset/blob/943a6216edea... [2]: https://github.com/coreruleset/coreruleset/blob/943a6216edea... [3]: https://github.com/coreruleset/coreruleset/blob/943a6216edea... | ||||||||
| ||||||||