- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Tue, 31 Jul 2012 19:24:12 -0500
- To: Willy Tarreau <w@1wt.eu>
- Cc: ietf-http-wg@w3.org
On Tue, Jul 31, 2012 at 12:36 PM, Willy Tarreau <w@1wt.eu> wrote: > Hi, > > Ivan Ristic recently presented a wide collection of methods to bypass > web application firewalls using implementation differences in HTTP > stacks : > > https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls > > While some of them have already been discussed to great extents, including > here, I think it's worth a read and reminds us that we really need to > address the ambiguities of request encoding if we want to make the web > safer. What do you have in mind? The problem is that implementations tend to be liberal in accepting inputs. That is mostly due to laziness - being strict is harder. As long as an input can be mapped to an acceptable value, no harm is done to the internal state, therefore there's no incentive for implementations to reject illegal inputs. This is the reality, no matter how sternly the spec emphasizes the MUST NOTs. Zhong Yu
Received on Wednesday, 1 August 2012 00:24:41 UTC