cronix Posted October 4, 2012 Report Share Posted October 4, 2012 The Most common Web Application Vulnerabilities:* SQL Injection(SQLi)* Cross-Site Scripting (XSS)* Broken Authentication and Session Management* Insecure Direct Object References* Cross-Site Request Forgery (CSRF)* Security Misconfiguration* Insecure Cryptographic Storage* Failure to Restrict URL Access* Insufficient Transport Layer Protection* Unvalidated Redirects and ForwardsThe Web Application Firewall(WAF) must meat the following features:* Protection Against Top Vulnerability(XSS,SQLi,..etc)* Very Few False Positives (i.e., should NEVER disallow an authorized request)* Strength of Default (Out of the Box) Defenses* Power and Ease of Learn Mode* Types of Vulnerabilities it can prevent.* Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.* Both Positive and Negative Security model support.* Simplified and Intuitive User Interface.* Cluster mode support.* High Performance (milliseconds latency).* Complete Alerting, Forensics, Reporting capabilities.* Web Services\XML support.* Brute Force protection.* Ability to Active (block and log), Passive (log only) and bypass the web trafic.* Ability to keep individual users constrained to exactly what they have seen in the current session* Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)* Form Factor: Software vs. Hardware (Hardware generally preferred)Top 10 Open Source Web Application Firefwall(WAF):1. ModSecurity (Trustwave SpiderLabs) ModSecurity: Open Source Web Application Firewall2. AQTRONIX WebKnight AQTRONIX3. ESAPI WAF https://www.owasp.org/index.php/The_ESAPI_Web_Application_Firewall_%28ESAPI_WAF%294. WebCastellum WebCastellum - Open Source Web Application Firewall5. BinarySec BinarySEC for Apache download - BinarySEC for Apache 2.3 - IceWalkers.com6. GuardianJUMPERZ.NET J U M P E R Z . N E T - Home7. OpenWAF openWAF - open source distributed web application firewall8. Ironbee https://www.ironbee.com/9. Profense ZION SECURITY 10. Smoothwall Smoothwall | Dynamic Web Content Filter | HTTPS & Mobile Filtering | Firewall | Anti-malwareSursa: Ethical Hacking Tutorials |Penetration Testing Lab | Learn How to Hack |Free Hacking ToolsConcept de functionare si instructiuni de instalare pentru 2,3 dintre aplicatii: http://www.ipa.go.jp/security/vuln/documents/waf_en.pdf Quote Link to comment Share on other sites More sharing options...
