from Hacker News

Response Filter Denial of Service: shut down a website by triggering WAF rule

by albinowax_ on 5/21/24, 7:04 AM with 26 comments

  • by corytheboyd on 5/24/24, 8:38 PM

    I’ve been working with WAF rules from OWASP ModSecurity recently and I’m honestly a little worried about it. It seems geared towards “securing” the worlds worst PHP app, but any reasonably good framework and infrastructure will weed out most of what these rules seem to be there to protect against, leading to silly false positives that become a whole lot less silly when it’s Big Customer whose requests are blocked. What do I know though, I’m just the guy who was told we need this. This isn’t advice against using preconfigured WAF rules, just my honest (and I’m sure naive) first impression

  • by elevation on 5/24/24, 7:29 PM

    I've seen legitimate ecommerce transactions blocked because WAF rejected the customer's address containing the word "Union" (which is also an SQL keyword.)

  • by blueflow on 5/24/24, 1:52 PM

    Hilarious. I love this.

    This is the same kind of "safety measure actually increases attack surface" like antivirus programs.

  • by zazazache on 5/24/24, 9:19 PM

    Personally I feel a bit insulted that security can mandate a “tool” like this to “prevent” sql injections. Just because they are clowns doesn’t mean that we are.

    Sorry users, the string “a > b” is not allowed any more. But fear not, “å > b” works just fine

  • by lgats on 5/24/24, 7:48 PM

    cloudflare firewall rule that I think will help protect against this:

       (not http.request.uri.path contains "." and any(http.request.headers["content-range"][*] contains "bytes"))
    my dynamic pages shouldn't contain any . (extension) so if a request contains content-range: bytes*, we challenge the request.

    you may have to modify for your needs

  • by m463 on 5/24/24, 6:41 PM

    WAF = Web Application Firewall

  • by strongpigeon on 5/24/24, 7:03 PM

    This is pretty clever. Nice work! Really illustrates how WAFs are extremely blunt tools.

  • by klabb3 on 5/24/24, 4:32 PM

    The attacker would also have to bypass the WAF while posting the trigger string, so perhaps it’s not trivial. Still, the whole design of these heuristic WAFs feel quite weak.

  • by actionfromafar on 5/24/24, 3:03 PM

    It would seem Little Bobby Tables¹ now has a cousin, Denny DeDOS.

    I have worked with such filters at some point earlier in life and had completely forgotten about them. This article brought back weird memories. It seemed like a good idea at the time. I think.

    1: xkcd://327