Hi,
WAF is detected when certain methods are filtered in relayd.
Thanks,
Kihaguru.
On Monday, December 9, 2019, Kihaguru Gathura <pqscr...@gmail.com> wrote:
>
>
> Hi,
> A message form assessors and further tests below.
>
>
</mail/u/1/s/?view=att&th=16ee9e8c520462f2&attid=0.1&disp=emb&realattid=ii_k3y7kgeo0&zw&atsh=1>
>
>
> I have configured relayd to serve a single url that accepts no
parameters. This url is blocked by relayd with error 403 Forbidden if
anything is appended to its end.
> I would expect WAF detection in such a test case but this has not
happened.
> what other means are malicious payloads being delivered in this case?
>
> Thanks and regards,
> Kihaguru
>
>
>
----------------------------------------------------------------------------------------------------------------------------
>
> # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
> #
> # Relay and protocol
> #
> http protocol httpp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
> }
>
> relay httpr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8080
> protocol httpp
>
> # Forward to the original target host
> forward to destination
> }
>
> http protocol httpsp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
>
> tls keypair example.net
> }
>
> relay httpsr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8443 tls
> protocol httpsp
>
> # Forward to the original target host
> forward with tls to destination
> }
>
---------------------------------------------------------------------------------------------------------------------------
>
> On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson <s...@spacehopper.org>
wrote:
>>
>> On 2019/12/05 00:17, Kihaguru Gathura wrote:
>> >
>> >
>> >
>> > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscr...@gmail.com>
wrote:
>> >
>> >
>> >
>> > >> Which is a better way to implement a WAF on OpenBSD using
the base utilities?
>> > >
>> > > relayd configured in certain ways might be considered as a
WAF.
>> >
>> >
>> > All methods and all other security headers and path filters are
coded in the web
>> > application which had always been detected as a custom WAF until
two weeks ago.
>> >
>> > I have now included relayd and a re-test passes all other
requirements but does not detect
>> > a WAF (please find sample configurations and test report below).
>> >
>> > Any hint highly appreciated
>>
>> I think you will need to talk to your assessors and ask what they're
looking for.
>>
>
