WAF – Web Application Firewalls- what are they good for and how do they work?

I just read (though not the entire thing, just the first 40 pages) Securing WebGoat using ModSecurity. Basically, Stephen Craig Evans configured ModSecurity to patch most of the vulnerabilities in a very vulnerable web application – WebGoat. Using both traditional regexp-based ModSecurity rules and combining this with Lua-scripting he has shown how even complexities such as business logic flaws can be mitigated by a WAF. That is, basically a filtering layer (proxy) between the end user and the (insecure) web application.

It is not a silver bullet and yada yada, but WAFs seem to me to be a great tool to use for certain purposes: it gives you the chance to not touch a line of code on the application. For the purpose of patching painfully old systems, that should really have been taken out and shot but are kept running for ‘business-reasons’, I’d rather learn ModSecurity + e.g Lua properly than having to learn every thinkable and unthinkable language and platform ever used for throwing together web content.

Read it, if you are into security, which you must be if you made it past the first sentence of this entry

-Project wiki: http://www.owasp.org/index.php/OWASP_Securing_WebGoat_using_ModSecurity_Project
-Doc : http://www.owasp.org/index.php/Image:OWASP_ModSecurity_Securing_WebGoat_wiki_28Nov2008.zip

This entry was posted on Friday, December 12th, 2008 at 8:32 am and is filed under Security, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.