The solution is to throw out your WAF.

simlevesque · on July 8, 2019

WAF has it's purpose but it's clearly not a silver bullet. Nothing is.

nullwasamistake · on July 8, 2019

WAF is brittle and breaks more than it fixes IMO. It's just regex against URL's in 99% of cases. If you think you need one, you need to fix the app code, there will be more vulnerabilities it doesn't block

simlevesque · on July 9, 2019

WAF provides a lot of other things, such as IP based filtering.

DJBunnies · on July 8, 2019

If it's so easily circumvented I wonder if it's worth the costs.

aventrix · on July 8, 2019

Disagree. This just reinforces the point that best security is multi-layered.

tptacek · on July 8, 2019

That's an apology every crappy security add-on has always made. We shouldn't be happy about applying layer after layer of faulty controls, let alone applauding that as some kind of defense-in-depth best practice.

nullwasamistake · on July 8, 2019

WAF are basically all HTTP proxies. If you app has a non-broken HTTP implementation they're useless.

sytringy05 · on July 8, 2019

yup, WAFs, IDS and IPS prevent protocol abuse. Everything else is the development teams problem

westurner · on July 8, 2019

Possible solutions:

(1) Change all underscores in WAF rule URL attribute names to the appropriate non-greedy regex. Though I'm not sure about the regex the article suggests: '.' only matches one character, AFAIU.

(2) Add a config parameter to PHP that turns off the magical url parameter name mangling that no webapp should ever depend on ( and have it default to off because if you rely on this 'feature' you should have to change a setting in php.ini anyway )