
Wallarm (YC S16) Uses Incoming Hacker Attacks to Reveal Security Flaws - stvnchn
http://themacro.com/articles/2016/08/wallarm/
======
hkr_mag
Hey there. Stepan, co-founder of Wallarm, here. Feel free to ask any
questions.

~~~
daveloyall
How do you intend to prevent false positives?

As a power user, I am concerned about the possibility of widespread adoption
of your product and/or others like it.

I don't want my bank to ban me just because I use a browser extension to
capture my own cookies from my own valid session and pipe them into a shell
script I wrote to invoke curl to harvest my latest bank statement as a PDF and
store it locally.

Supposing that your system wouldn't flag that activity as malicious, what
about the vulgar things that I did to their servers while I was _developing_
my archive-bank-statement tool?

NB. Please ignore the implication that my tool is complete or useful. It's
not... :)

~~~
hkr_mag
The main idea about Wallarm is to get inner knowledge of how the application
works and how users use it. Based on this data, we craft dynamic rules for
every single applications or API.

The simplest example is what data transmitted in different parameters of the
form field or API calls. For example, it's OK if someone put an SQL Injection
payload at Stack-overflow site in the form writing a security-related article.
It can be a normal behavior. Meanwhile, SQL injection payload is probably a
malicious thing for a login form at your bank website.

We wouldn't ban request only if it is sent with curl. There is a set of
different factors and statistics that are taken into the account. E.g. if you
run this requests too quickly and it is sent with curl, it can be considered
as a malicious activity.

~~~
XMPPwocky
So I can CSRF the bank site with a SQLi in the login form, and ban anybody who
clicks my link?

------
mpivtora
Very impressive stuff, way to go guys!

~~~
hkr_mag
Thanks!

