![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
This post was originally published here by ZAID AL HAMAMI.
In aĀ previous blog postĀ I talked about the Struts CVE (CVE-2017-5638) thatās affecting much of the Java Web App world these days. A security engineer at IMMUNIOĀ provided his technical perspectiveĀ as well.
My argument was that we see this type of event all the time. Code written, with vulnerabilities in it for years. Then we have to rush to fix it immediately. Meanwhile, we have no idea if any damage has occurred. As is quite common in the security vendor world, vendors rush to tell you that theyāve provided a new āruleā to prevent the exploitation. Unfortunately, as is the case with any blacklisting or pattern matching based technology, very rarely do you get it right the first, second, or third time.
Within a day or two,Ā bypassesĀ were disclosed to various vendors, some added new rules for those bypasses, some still havenāt. We actually figured out some more since then.
Well, now thereāsĀ another way to exploit the same vulnerability, that is not detectable by any rule or any WAF (to the best of our knowledge).
This time however, it wonāt be so easy for WAFās to effectively secure against these exploits. The technical reason lies in the fact that the malicious payloads will reside in the body part of large multipart requests. If you have enough sites behind a WAF, enabling inspection on these will result in quite a bit of strain on the WAF (which translates to fail open or delay, depending on the vendor). Furthermore, there will be False Positives.
This is yet another example of why WAFās are not effective Application layer protection technologies. Next generation approaches, such as security instrumentation, and RASP in particular, are much more adept at handling these types of issues. There is no pattern matching involved. It does deal with the variant case as well. Our approach profiles your application. It understands its execution. It knows what commands should and should be allowed to execute. And it can show you all of that.
Photo:Lifehacker