Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • WOOT '12 Home
  • Organizers
  • Registration Information
  • Registration Discounts
  • Workshop Program
  • Co-located Workshops
  • Sponsors
  • Students
  • Help Promote
  • For Participants
  • Call for Papers
  • Past Workshops

sponsors

Bronze Sponsor
General Sponsor

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » WAFFle: Fingerprinting Filter Rules of Web Application Firewalls
Tweet

connect with us

http://twitter.com/usenix
https://www.facebook.com/events/385528201466018/

WAFFle: Fingerprinting Filter Rules of Web Application Firewalls

Authors: 

 Isabell Schmitt and Sebastian Schinzel, University of Erlangen-Nuremberg

Abstract: 

Web Application Firewalls (WAFs) are used to detect and block attacks against vulnerable web applications. They distinguish benign requests from rogue requests using a set of filter rules. We present a new timing side channel attack that an attacker can use to remotely distinguish passed requests from requests that the WAF blocked. The attack works also for transparent WAFs that do not leave any trace in responses. The attacker can either conduct our attack directly or indirectly by using Cross Site Request Forgeries (CSRF). The latter allows the attacker to get the results of the attack while hiding his identity and to circumvent any practical brute-force prevention mechanism in the WAF. By learning which requests the WAF blocks and which it passes to the application, the attacker can craft targeted attacks that use any existing loopholes in the WAF’s filter rule set. We implemented this attack in the WAFFle tool and ran tests over the Internet against ModSecurity and PHPIDS. The results show that WAFFle correctly distinguished passed requests from blocked requests in more than 95 % of all requests just by measuring a single request.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {179507,
title = {{WAFFle}: Fingerprinting Filter Rules of Web Application Firewalls},
booktitle = {6th USENIX Workshop on Offensive Technologies (WOOT 12)},
year = {2012},
address = {Bellevue, WA},
url = {https://www.usenix.org/conference/woot12/workshop-program/presentation/Schmitt},
publisher = {USENIX Association},
month = aug
}
Download
Schmitt.pdf
View the slides

Presentation Video

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Bronze Sponsors

General Sponsors

© USENIX

  • Privacy Policy
  • Contact Us