Not sure that I can help with your question, but I can strongly recommend that you put a WAF in front of every website published to the internet.
If someone creates a bogus reply to your web site, sending 500 text characters instead of the five digits that you are expecting for a US postal zipcode:
The answer to all three are probably "I don't know and I don't want to find out by surprise."
WAF is the defense that saves you from these types of attacks.
Test your WAF configuration to ensure it is locked down as tightly as possible without breaking something. In case you have not seen this elsewhere my process is:
Then I suggest that you declare success and move on to a different problem.
Excellent suggestions, Doug - thanks!
Your final point is excellent advice. I've had two clients get bogged down in getting WAF going. In both cases, it was because Marketing had higher priority than Security when it came to getting changes made by the web developer. Using your approach at least would have gotten them some protection. Some false-positives are harmless, but I think I'd get a list of some of the disabled rules to someone that could get the developer to change the code so that that protection could be enabled.
Cheers - Bob
I have configured at least 5 different waf sites, and had to use different protection settings for each one. Some sites have been unable to use rigid filtering at all. I dont think form signing or cookie signing have ever worked for me. It has been a trial and error process each time. During the sales cycle, I came to expect WAF to be fully automatic, but that has not been my experience, and support has always acted as if trial-and-error is normal. Nothing was ever escalated to development.
To ensure trusted traffic, I configure WAF on an internal IP addtess, then edit my Hosts file to point a test pc at the waf site. I can use live log (on a second PC) to capture the traffic as it occurs, or download the logs after the fact.
Good information again, Doug.
When I said "developers," I was talking about the people coding the website behind WAF, not the Sophos devs.
Cheers - Bob
Good information again, Doug.
When I said "developers," I was talking about the people coding the website behind WAF, not the Sophos devs.
Cheers - Bob