Hacker News new | past | comments | ask | show | jobs | submit login

The solution is to throw out your WAF.

WAF has it's purpose but it's clearly not a silver bullet. Nothing is.

WAF is brittle and breaks more than it fixes IMO. It's just regex against URL's in 99% of cases. If you think you need one, you need to fix the app code, there will be more vulnerabilities it doesn't block

WAF provides a lot of other things, such as IP based filtering.

If it's so easily circumvented I wonder if it's worth the costs.

Disagree. This just reinforces the point that best security is multi-layered.

That's an apology every crappy security add-on has always made. We shouldn't be happy about applying layer after layer of faulty controls, let alone applauding that as some kind of defense-in-depth best practice.

WAF are basically all HTTP proxies. If you app has a non-broken HTTP implementation they're useless.

yup, WAFs, IDS and IPS prevent protocol abuse. Everything else is the development teams problem

Possible solutions:

(1) Change all underscores in WAF rule URL attribute names to the appropriate non-greedy regex. Though I'm not sure about the regex the article suggests: '.' only matches one character, AFAIU.

(2) Add a config parameter to PHP that turns off the magical url parameter name mangling that no webapp should ever depend on ( and have it default to off because if you rely on this 'feature' you should have to change a setting in php.ini anyway )

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact