Response Filter Denial of Service: shut down a website by triggering WAF rule

I’ve been working with WAF rules from OWASP ModSecurity recently and I’m honestly a little worried about it. It seems geared towards “securing” the worlds worst PHP app, but any reasonably good framework and infrastructure will weed out most of what these rules seem to be there to protect against, leading to silly false positives that become a whole lot less silly when it’s Big Customer whose requests are blocked. What do I know though, I’m just the guy who was told we need this. This isn’t advice against using preconfigured WAF rules, just my honest (and I’m sure naive) first impression

I've seen legitimate ecommerce transactions blocked because WAF rejected the customer's address containing the word "Union" (which is also an SQL keyword.)

Hilarious. I love this.<p>This is the same kind of &quot;safety measure actually increases attack surface&quot; like antivirus programs.

Personally I feel a bit insulted that security can mandate a “tool” like this to “prevent” sql injections. Just because they are clowns doesn’t mean that we are.<p>Sorry users, the string “a &gt; b” is not allowed any more. But fear not, “å &gt; b” works just fine

cloudflare firewall rule that I think will help protect against this:<p><pre><code> (not http.request.uri.path contains &quot;.&quot; and any(http.request.headers[&quot;content-range&quot;][*] contains &quot;bytes&quot;)) </code></pre> my dynamic pages shouldn&#x27;t contain any . (extension) so if a request contains content-range: <i>bytes*, we challenge the request.<p>you may have to modify for your needs</i>

WAF = Web Application Firewall

This is pretty clever. Nice work! Really illustrates how WAFs are extremely blunt tools.

The attacker would also have to bypass the WAF while posting the trigger string, so perhaps it’s not trivial. Still, the whole design of these heuristic WAFs feel quite weak.

It would seem Little Bobby Tables¹ now has a cousin, Denny DeDOS.<p>I have worked with such filters at some point earlier in life and had <i>completely</i> forgotten about them. This article brought back weird memories. It seemed like a good idea at the time. I think.<p>1: xkcd:&#x2F;&#x2F;327