This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Has anyone been able to make Form Hardening and Cookie Hardening work?

My understanding of the documentation is that these two features should always be used together, although I noticed that some of the Sophos-supplied Firewall Profiles use only one of them.

My expectation (during the sales cycle and after reading the documentation) was that these features would ALWAYS be transparent to the real webserver, and that as a result they would ALWAYS work.   My experience is that they NEVER work.    On a recent test, enabling these features in MONITOR mode was enough to break the application.

If anyone has been successful with these features, can you offer any advice?  Or has everyone had the same results as I have?



This thread was automatically locked due to age.
Parents
  • To elaborate on how I though it was supposed to work, in pseduocode:

    • Real webserver sends one cookie, which is intercepted by UTM:
      • "server="www.example.com", cookiename="SecretStuff", cookievalue="Bill loves Susie"
    • UTM sends two cookies
      • server="www.example.com", cookiename="SecretStuff", cookievalue="Bill loves Susie"
      • server="www.example.com", cookiename="UTM$Signaturefor_SecretStuff", cookievalue="AQB3&699bbb"

    UTM may ask for the signature cookie if hardening is enabled.   Whether hardening is enabled or not, UTM should detect and remove any signature cookies before passing the cookie list to the real webserver.

    Form Hardening should work in roughly the same way:   UTM adds hidden fields with signature information, and removes those hidden fields when the data is returned.

    So how can these features break a real webserver using data that the real webserver never sees?  

    How can there ever be a form signature verification problem, other than when a client constructs a deliberately malicious form submission?

  • DouglasFoster said:
    How can there ever be a form signature verification problem, other than when a client constructs a deliberately malicious form submission?

    JavaScript for example. When JavaScript modifies a form request or adds new cookies, then for WAF that's indistinguishable from a maliciously tampered request.

Reply
  • DouglasFoster said:
    How can there ever be a form signature verification problem, other than when a client constructs a deliberately malicious form submission?

    JavaScript for example. When JavaScript modifies a form request or adds new cookies, then for WAF that's indistinguishable from a maliciously tampered request.

Children
No Data