Collaborate Disseminate
We have 3rd-Party CDN in front of Financial/Banking APIs which involves sensitive data, login, access token, cookies, etc.
We would like to leverage WAF and SSL Inspection capability of CDN. This requires SSL Offloading at CDN.
How to avoi… Continue reading 3rd-Party CDN SSL Inspection for Financial/Banking API Traffics
In a layered enterprise security architecture with a Web Application Firewall (WAF) deployed in the DMZ, should there be shared responsibility between the WAF and application layer/ microservices for mitigations the WAF supports, specifica… Continue reading WAF vs. Application Layer for Bot Mitigation
I have a legacy non-commercial (in-house) application that is distributed over several workstations on a private VLAN. I have to make it conform to some cybersecurity standards, but can barely modify it. For most of the needs, I can add a … Continue reading How to add accounts management to a legacy blackbox application?
We’re doing a PoC on a new API Security/WAF tool, and we’re planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we’ll send the mirrored traffic to analyze in the new solution.
My quest… Continue reading Can API Security/WAF tools decrypt "mirrored" traffic?
I am working to bypass this WAF, but I have some problems.
$args_arr=array(
‘sql’=>"[^\\{\\s]{1}(\\s|\\b)+(?:select\\b|update\\b|insert(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+into\\b).+?(?:from\\b|set\\b)|[^\\{\\s]{1}(\\s|\\… Continue reading Problem bypassing a PHP WAF for SQLi
I have setup installed mod security module for apache in ubuntu 22.04, using.
sudo apt-get install libapache2-mod-security2
sudo a2enmod security2
sudo systemctl restart apache2
This installs security module version 2.9.5 with core rule s… Continue reading How to enable ModSecurity to actually block/deny malicious requests? [migrated]
I’m new to modsecurity topic so maybe my question is stupid but…
I have setup modsecurity on my new nginx/1.24.0 server with default set of recommended rules: coreruleset-3.3.0 and since then my POST XHR request is being blocked.
This is… Continue reading Modsecurity blocks blocks my legit XHR POST request (403 forbidden)
Problem
Users in my application are being blocked (by the AWS WAF) from uploading files with certain names. In the specific case I am trying to solve, the problematic string is .* System (.*).*.
Background
The block is coming from the PHPH… Continue reading How dangerous is disabling PHPHighRiskMethodsVariables_BODY from the AWS ACLs?
My SaaS company recently lost the bid for an enterprise software licensing deal.
One of the reasons the prospect gave for not choosing us as a vendor was:
the use of a WAF
I’m not an information security specialist, so I’m confused as to… Continue reading What’s wrong with the use of a WAF (Web Application Firewall)?
I have ModSecurity v2 on apache with CRS v3.
Requests containing header accept-charset are blocked on paranoia level 1, I read this great discussion about the header and that on CRS v4 will be allowed by default.
How can I write an exclusi… Continue reading ModSecurity CRS, allow header `accept-charset`