Abstract—Web Application Firewalls (WAFs) are used to detect
and block attacks against vulnerable web applications. They
distinguish benign requests from rogue requests using a set of
filter rules. We present a new timing side channel attack that
an attacker can use to remotely distinguish passed requests
from requests that the WAF blocked. The attack works also
for transparent WAFs that do not leave any trace in responses.
The attacker can either conduct our attack directly or indirectly
by using Cross Site Request Forgeries (CSRF). The latter allows
the attacker to get the results of the attack while hiding his
identity and to circumvent any practical brute-force prevention
mechanism in the WAF. By learning which requests the WAF
blocks and which it passes to the application, the attacker can
craft targeted attacks that use any existing loopholes in the WAF’s
filter rule set. We implemented this attack in the WAFFle tool and
ran tests over the Internet against ModSecurity and PHPIDS. The
results show that WAFFle correctly distinguished passed requests
from blocked requests in more than 95 % of all requests just by
measuring a single request.
and block attacks against vulnerable web applications. They
distinguish benign requests from rogue requests using a set of
filter rules. We present a new timing side channel attack that
an attacker can use to remotely distinguish passed requests
from requests that the WAF blocked. The attack works also
for transparent WAFs that do not leave any trace in responses.
The attacker can either conduct our attack directly or indirectly
by using Cross Site Request Forgeries (CSRF). The latter allows
the attacker to get the results of the attack while hiding his
identity and to circumvent any practical brute-force prevention
mechanism in the WAF. By learning which requests the WAF
blocks and which it passes to the application, the attacker can
craft targeted attacks that use any existing loopholes in the WAF’s
filter rule set. We implemented this attack in the WAFFle tool and
ran tests over the Internet against ModSecurity and PHPIDS. The
results show that WAFFle correctly distinguished passed requests
from blocked requests in more than 95 % of all requests just by
measuring a single request.
read more...........https://www.usenix.org/system/files/conference/woot12/woot12-final2.pdf