Subscribe to web2feel.com
Subscribe to web2feel.com

All Top Banking

Web Application Firewalls Hacked

Posted by John B. Frank Thursday, May 14, 2009

Researchers Hack Web Application Firewalls

OWASP Europe presentation demonstrates tools that fingerprint the brand of WAF, as well as bypass it altogether

By Kelly Jackson Higgins | DarkReading

A pair of researchers at the OWASP Europe 2009 conference on Wednesday showed how some Web application firewalls (WAFs) are prone to attack.

Wendel Henrique, a member of SpiderLabs (Trustwave's advanced securityteam), and Sandro Gauci, founder and CSO for EnableSecurity, also foundsome WAFs vulnerable to the same types of exploits they are supposed toprotect Web apps from, such as cross-site scripting (XSS) attacks.

The researchers used a tool they developed, called WafW00f, todetect and fingerprint the presence -- and in some cases, the brand --of a WAF running in front of a Web application. A second tool createdby Henrique and Gauci, called WafFun, let them exploit and bypass WAFsrunning in blacklisting and whitelisting modes. With a combination ofWafW00f and WafFun, the researchers are able to execute attacks on theWAF invisibly so they can successfully hack the Web-facing applicationsitting behind it.

Editor's Note:  So let me get this straight...HTTTPS is HTTBS and Firewalls are useless.   4 Questions: 
  • Are you starting to see how unsafe a web browser is? 
  • Are you starting to see why financial transactions SHOULD NEVER be done in a web browser space? 
  • Are you starting to see why HomeATM engineered, patented and manufactures the ONLY PCI 2.0 PED designed for eCommerce use? 
  • Are you starting to see that the 3DES end to end encryption of cardholder data with DUKPT key management is the safest and most secure way to provide consumers and merchants from hackers?      

"If an attacker knows what product and version, it's easy toexploit it. One of the things [WAF] vendors claim is that they[operate] in stealth [mode]," Henrique says. "But in practice, theyhave a lot of different behaviors that they create...and you can usethose behaviors to identify what WAF is in place."

Continue DarkReading

Related articles
Reblog this post [with Zemanta]

edit post

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio