Hacker Newsnew | comments | show | ask | jobs | submit login

WAFs are usually viewed as relatively useless as they waste time on dumb attacks (specifically blacklisting) that harms more than it helps. Only the stupidest attacks can be caught using WAFs and they are more likely to block legitimate traffic than to help with security.

The idea is similar to using blacklists in filter functions in XSS or SQL protection mechanisms. In theory they could block all malicious but in practice they're poorly written and poorly configured crap that act as more security theatre than anything else. The proper approach is to use context-sensitive whitelists for all client input, not add on layers of what is essentially protocol grep.




And do you really think that's a feasible expectation for the typical shared hosting client -- a business owner with little tech experience who doesn't have the money to hire an actual good developer? The person who doesn't even know that they don't know good developers from bad developers?

>"The proper approach is to use context-sensitive whitelists for all client input, not add on layers of what is essentially protocol grep." It's regex for HTTP requests / responses. Literally, that's all it does.

>"WAFs are usually viewed as relatively useless as they waste time on dumb attacks (specifically blacklisting) that harms more than it helps. " By who? References? As I mentioned above, we use WAFs and they help a lot with stupid attacks, because stupid attacks are what most of the attacks are; automated attack crap running on botnets to put up phishing pages on easy targets.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: